Analysis
-
max time kernel
837s -
max time network
848s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-08-2024 15:27
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://gitlab.com/3000IQPlay/Grim-3.0
Resource
win10v2004-20240802-en
badrabbittroldeshwannacrydefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealertrojanupxworm
windows10-2004-x64
48 signatures
600 seconds
Errors
Reason
Machine shutdown
General
-
Target
https://gitlab.com/3000IQPlay/Grim-3.0
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe" msiexec.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found -
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 9 IoCs
flow pid Process 426 5156 MsiExec.exe 431 5096 MsiExec.exe 710 5396 rundll32.exe 763 5396 rundll32.exe 810 5396 rundll32.exe 963 5396 rundll32.exe 1004 5396 rundll32.exe 1038 5396 rundll32.exe 1065 5396 rundll32.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation iIoAogAY.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD6BB5.tmp [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD6BBC.tmp [email protected] -
Executes dropped EXE 64 IoCs
pid Process 3928 GrimDownloader.exe 5044 GrimDownloader.exe 1836 GrimDownloader.exe 4252 GrimDownloader.exe 5512 taskdl.exe 2736 GrimDownloader.exe 3544 @[email protected] 5144 @[email protected] 824 taskhsvc.exe 1956 taskdl.exe 3792 taskse.exe 4612 @[email protected] 4496 329C.tmp 3744 taskdl.exe 4972 taskse.exe 4788 @[email protected] 5920 taskse.exe 5044 @[email protected] 3512 taskdl.exe 5592 taskse.exe 2732 @[email protected] 1536 taskdl.exe 4816 @[email protected] 2096 @[email protected] 1524 taskdl.exe 5192 taskse.exe 4372 taskse.exe 4952 @[email protected] 4956 taskdl.exe 4528 taskse.exe 5972 @[email protected] 4704 taskdl.exe 4884 meAIcMQI.exe 4384 iIoAogAY.exe 5944 [email protected] 4476 [email protected] 4012 taskse.exe 5936 @[email protected] 1800 [email protected] 5880 taskdl.exe 5464 [email protected] 5268 [email protected] 5204 [email protected] 2796 [email protected] 6104 [email protected] 3840 [email protected] 5344 [email protected] 5204 [email protected] 2644 [email protected] 5960 [email protected] 4100 [email protected] 4264 [email protected] 5204 [email protected] 2644 [email protected] 5660 [email protected] 4996 [email protected] 6100 [email protected] 2448 [email protected] 5032 [email protected] 4864 [email protected] 1820 [email protected] 1752 [email protected] 1800 [email protected] 2644 [email protected] -
Loads dropped DLL 43 IoCs
pid Process 824 taskhsvc.exe 824 taskhsvc.exe 824 taskhsvc.exe 824 taskhsvc.exe 824 taskhsvc.exe 824 taskhsvc.exe 824 taskhsvc.exe 824 taskhsvc.exe 5396 rundll32.exe 2556 rundll32.exe 5360 rundll32.exe 5492 [email protected] 5492 [email protected] 5156 MsiExec.exe 5156 MsiExec.exe 5156 MsiExec.exe 5156 MsiExec.exe 5156 MsiExec.exe 5156 MsiExec.exe 5156 MsiExec.exe 5156 MsiExec.exe 5156 MsiExec.exe 5156 MsiExec.exe 5364 MsiExec.exe 5156 MsiExec.exe 5492 [email protected] 5156 MsiExec.exe 4924 [email protected] 4924 [email protected] 5096 MsiExec.exe 5096 MsiExec.exe 5096 MsiExec.exe 5096 MsiExec.exe 5096 MsiExec.exe 5096 MsiExec.exe 5096 MsiExec.exe 5096 MsiExec.exe 5096 MsiExec.exe 5096 MsiExec.exe 5644 MsiExec.exe 5096 MsiExec.exe 4924 [email protected] 5096 MsiExec.exe -
Modifies file permissions 1 TTPs 3 IoCs
pid Process 5740 icacls.exe 1104 icacls.exe 3880 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2248-1419-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2248-1420-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2248-1421-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2248-1423-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2248-1426-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/5392-1427-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/5392-1428-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2248-1429-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/5392-1437-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2248-1465-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2248-1489-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2248-1495-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2248-3052-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2248-3094-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2248-3133-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2248-3149-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2248-3170-0x0000000000400000-0x00000000005DE000-memory.dmp upx -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EcgwwgMo.exe = "C:\\ProgramData\\secUIYwY\\EcgwwgMo.exe" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fnnvghpejgiq616 = "\"C:\\Users\\Admin\\Desktop\\tasksche.exe\"" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\meAIcMQI.exe = "C:\\Users\\Admin\\ReswEQAM\\meAIcMQI.exe" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iIoAogAY.exe = "C:\\ProgramData\\pioAIkgs\\iIoAogAY.exe" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iIoAogAY.exe = "C:\\ProgramData\\pioAIkgs\\iIoAogAY.exe" iIoAogAY.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\meAIcMQI.exe = "C:\\Users\\Admin\\ReswEQAM\\meAIcMQI.exe" meAIcMQI.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TuMwwcEg.exe = "C:\\Users\\Admin\\COQYYQgI\\TuMwwcEg.exe" [email protected] -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: [email protected] File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: [email protected] File opened (read-only) \??\W: [email protected] File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: [email protected] File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: [email protected] File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\G: [email protected] File opened (read-only) \??\K: [email protected] File opened (read-only) \??\L: [email protected] File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\E: [email protected] File opened (read-only) \??\I: [email protected] File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: [email protected] File opened (read-only) \??\S: [email protected] File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: [email protected] File opened (read-only) \??\A: [email protected] File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: [email protected] File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: [email protected] File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: [email protected] File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\H: [email protected] File opened (read-only) \??\U: [email protected] File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\G: [email protected] File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: [email protected] File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Q: [email protected] File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: [email protected] -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 240 raw.githubusercontent.com 242 raw.githubusercontent.com 241 raw.githubusercontent.com 243 raw.githubusercontent.com 261 raw.githubusercontent.com -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\gwMC.exe iIoAogAY.exe File created C:\Windows\SysWOW64\CQEI.exe iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\OIYo.ico iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\EQAE.exe iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\YAYU.exe iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\oUUW.exe iIoAogAY.exe File created C:\Windows\SysWOW64\ekMc.exe iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\gsQa.ico iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\mswS.exe iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\CcQW.ico iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\QAEW.exe iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\yUQu.ico iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\EYoa.ico iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\ewAi.ico iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\aUoi.exe iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\QEAK.ico iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\asMY.ico iIoAogAY.exe File created C:\Windows\SysWOW64\WwAQ.exe iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\SoIw.exe iIoAogAY.exe File created C:\Windows\SysWOW64\aQcs.exe iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\OEwa.ico iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\mEok.ico iIoAogAY.exe File created C:\Windows\SysWOW64\OgwU.exe iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\CMIK.exe iIoAogAY.exe File created C:\Windows\SysWOW64\CwUo.exe iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\Kwga.exe iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\IQEw.ico iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\OUwI.exe iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\KsMq.ico iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\GAwo.exe iIoAogAY.exe File created C:\Windows\SysWOW64\ysMW.exe iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\WQou.ico iIoAogAY.exe File created C:\Windows\SysWOW64\KogC.exe iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\qYEe.ico iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\igoA.ico iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\MMMG.exe iIoAogAY.exe File created C:\Windows\SysWOW64\CMIK.exe iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\Goom.ico iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\CwUo.exe iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\wsgK.ico iIoAogAY.exe File created C:\Windows\SysWOW64\kwko.exe iIoAogAY.exe File created C:\Windows\SysWOW64\GAwo.exe iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\kMQi.ico iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\sssW.exe iIoAogAY.exe File created C:\Windows\SysWOW64\oUUW.exe iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\EsMs.ico iIoAogAY.exe File created C:\Windows\SysWOW64\eUgo.exe iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\gwMC.exe iIoAogAY.exe File created C:\Windows\SysWOW64\OUwI.exe iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\WYQG.ico iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\KgYe.exe iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\YYMa.ico iIoAogAY.exe File created C:\Windows\SysWOW64\mMIS.exe iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\QcAi.ico iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\CkkQ.exe iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\GEsa.ico iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\QgQg.ico iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\kEAo.exe iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\ekMc.exe iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\qoAE.ico iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\Uosq.ico iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\shell32.dll.exe iIoAogAY.exe File created C:\Windows\SysWOW64\YAYU.exe iIoAogAY.exe File opened for modification C:\Windows\SysWOW64\WQgu.exe iIoAogAY.exe -
Sets desktop wallpaper using registry 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" @[email protected] -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Windows\Error file remover\Windows Logoff Sound.wav msiexec.exe File opened for modification C:\Program Files (x86)\Windows\Error file remover\Windows Logoff Sound.wav msiexec.exe File opened for modification C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe msiexec.exe File created C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe msiexec.exe -
Drops file in Windows directory 48 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI19DB.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI1A7E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1AEF.tmp msiexec.exe File created C:\Windows\Installer\e5f1951.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3217.tmp msiexec.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log Process not Found File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI1A5D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1A7D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI31F6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI32E6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1A0B.tmp msiexec.exe File created C:\Windows\infpub.dat [email protected] File opened for modification C:\Windows\Installer\MSI19BB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1B7D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3228.tmp msiexec.exe File opened for modification C:\Windows\Tasks\sys.job MsiExec.exe File created C:\Windows\infpub.dat [email protected] File opened for modification C:\Windows\Installer\MSI1A2C.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Tasks\sys.job MsiExec.exe File opened for modification C:\Windows\Installer\MSI32F6.tmp msiexec.exe File created C:\Windows\dispci.exe rundll32.exe File opened for modification C:\Windows\329C.tmp rundll32.exe File opened for modification C:\Windows\Installer\MSI1A2B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1A3D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3357.tmp msiexec.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\Installer\e5f194d.msi msiexec.exe File created C:\Windows\Installer\SourceHash{C452D4E2-DE24-48B6-B5C3-ACB240A01606} msiexec.exe File opened for modification C:\Windows\Installer\MSI1ABF.tmp msiexec.exe File opened for modification C:\Windows\Installer\e5f1951.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI31C5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI31E6.tmp msiexec.exe File created C:\Windows\infpub.dat [email protected] File opened for modification C:\Windows\Installer\MSI3387.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3218.tmp msiexec.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File opened for modification C:\Windows\Installer\MSI1A9F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1B2E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3307.tmp msiexec.exe File created C:\Windows\cscc.dat rundll32.exe File opened for modification C:\Windows\Installer\MSI3258.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3318.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI33C6.tmp msiexec.exe File opened for modification C:\Windows\Installer\e5f194d.msi msiexec.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File created C:\Users\Admin\Downloads\GrimDownloader.exe:Zone.Identifier firefox.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 684 6140 WerFault.exe 1017 4908 1268 WerFault.exe 1016 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language meAIcMQI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Process not Found -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\1\GroupProp = "25" Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp\12 Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp\27 Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\5\ColumnProp\12 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\1\SortAscending = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\3\ColumnProp\12\Width = "200" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Height = "540" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp\8\Width = "120" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp\7\Visible = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp\1\Visible = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp\34\Width = "80" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp\41\Width = "80" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp\14\Width = "80" Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp\20\Visible = "0" Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp\8 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\5\ColumnProp\12\Width = "200" Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp\25 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp\8\Visible = "0" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000262c84e5c2a8b24db398d3ff1cc7357000000000020000000000106600000001000020000000e80845ce1c269966c112dbc589f62ec64934e3399b99d75bc08a25c905e09d69000000000e8000000002000020000000a4a3f5fd5b53c420ec05e83e58d5fd35cc9dd98af3419a67388ffc2d7800852600010000b406d48f7e5bf352459482337f2d08e895f1e787b570c670a3b26d7a7ef40c0e5eb50c223cb21eeb500818cf28a350ebb40d4bd1e4df353d41209db9bee2f77061ff72fb25315c534e8a54b11394d90d1c637bf379d8f31d7e4f3eb0ffa32dd7234fa22e2ef15be663a3be962b762644dd847e6aa81548b00d3a2f86595bb283c3a26c87b80d4036f5c2b1de77a3092b003eeccb81c3d78ba4c267f210e9f22c30aa5ede581d9815a56a007c28192b1a46bf3fcfcc3bcd0d85d9dcfc572eaedcdf8d6f015a3a8eb17380729bfc4e48c16edd802ed1076ba3bb7c31ea14b851a4a76dd0d10bc7b3d307c50d3de3670805ff8086db19a2462445aef96277e1be21400000006957b1081c352a91e699fc8fb7d0bc8102c5e67f9266979c5ea5ca6fe3abc8c4dd6ff8dc6af9baa6477733b78f908a61e710096f8682668217fc35734bcc617a Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp\1 Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\MAO Settings\Category\2\ColumnProp\22 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\2\ColumnProp\22\Width = "120" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\2\ColumnProp\31\Visible = "0" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31124082" Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\5\ColumnProp Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\3\ColumnProp\27 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C29646F8-5665-11EF-8D5B-D6586EC96307} = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7AC56637-5665-11EF-8D5B-D6586EC96307} = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\2\ColumnProp\22\Visible = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\5\ColumnProp\27\Width = "80" Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp\20\Width = "120" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\5\GroupProp = "4294967295" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\3\ColumnProp\25\Width = "200" Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\3\ColumnProp\25\Visible = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp\42\Width = "80" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31124082" Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\IESettingSync Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\MAO Settings Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp\45\Width = "80" Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\MAO Settings\Category\3 Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\MINIE Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1328092399" Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\DomainSuggestion Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp\16\Visible = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\3\SortProp = "12" Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp\45\Visible = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\3\ColumnProp\28\Visible = "1" Process not Found -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 msiexec.exe -
Modifies registry class 62 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0100000000000000ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202 Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Generic" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = 00000000ffffffff Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\NodeSlot = "9" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\MRUListEx = ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "10" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 = 5a0031000000000009596c7b100053797374656d33320000420009000400efbe874f774809596c7b2e000000b90c000000000100000000000000000000000000000067911301530079007300740065006d0033003200000018000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 = 56003100000000000959647c100057696e646f777300400009000400efbe874f77480959647c2e0000000006000000000100000000000000000000000000000093cd9b00570069006e0064006f0077007300000016000000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10 Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe1300000007393172d7e4da011c3c65e271eada01763302e971eada0114000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000000000001000000ffffffff Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Process not Found Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" Process not Found Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-656926755-4116854191-210765258-1000\{D45C9D5D-9772-4AA3-BDB6-B728C1B74CE4} Process not Found -
Modifies registry key 1 TTPs 64 IoCs
pid Process 4100 reg.exe 5804 Process not Found 4004 Process not Found 5020 reg.exe 1412 reg.exe 624 reg.exe 5660 reg.exe 3484 Process not Found 4756 Process not Found 5512 reg.exe 1068 reg.exe 3356 reg.exe 2840 reg.exe 5912 Process not Found 4752 Process not Found 6140 Process not Found 1436 Process not Found 3148 reg.exe 5912 reg.exe 6060 reg.exe 2424 reg.exe 4596 reg.exe 4760 reg.exe 2996 Process not Found 3840 Process not Found 5948 reg.exe 924 Process not Found 3292 reg.exe 1820 Process not Found 4012 Process not Found 5940 reg.exe 3240 reg.exe 4700 reg.exe 1360 reg.exe 4120 reg.exe 2648 Process not Found 2716 Process not Found 5024 reg.exe 3768 reg.exe 4804 Process not Found 4592 Process not Found 5420 Process not Found 4372 Process not Found 5904 Process not Found 4732 reg.exe 936 reg.exe 5312 reg.exe 4468 reg.exe 1412 Process not Found 2628 Process not Found 5132 reg.exe 540 reg.exe 2216 Process not Found 4540 Process not Found 2796 reg.exe 4548 Process not Found 5128 Process not Found 5612 reg.exe 3688 reg.exe 1396 Process not Found 3964 Process not Found 1836 Process not Found 2560 Process not Found 4700 reg.exe -
NTFS ADS 7 IoCs
description ioc Process File created C:\Users\Admin\Downloads\NoMoreRansom.zip:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\WannaCrypt0r.zip:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\BadRabbit.zip:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Winlocker.VB6.Blacksod.zip:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\PolyRansom.zip:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\GrimDownloader.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\ViraLock.zip:Zone.Identifier firefox.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5260 schtasks.exe 536 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4612 @[email protected] 4384 iIoAogAY.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 6960 Process not Found 6960 Process not Found 6960 Process not Found 6960 Process not Found 6960 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3424 firefox.exe Token: SeDebugPrivilege 3424 firefox.exe Token: SeIncreaseQuotaPrivilege 5044 WMIC.exe Token: SeSecurityPrivilege 5044 WMIC.exe Token: SeTakeOwnershipPrivilege 5044 WMIC.exe Token: SeLoadDriverPrivilege 5044 WMIC.exe Token: SeSystemProfilePrivilege 5044 WMIC.exe Token: SeSystemtimePrivilege 5044 WMIC.exe Token: SeProfSingleProcessPrivilege 5044 WMIC.exe Token: SeIncBasePriorityPrivilege 5044 WMIC.exe Token: SeCreatePagefilePrivilege 5044 WMIC.exe Token: SeBackupPrivilege 5044 WMIC.exe Token: SeRestorePrivilege 5044 WMIC.exe Token: SeShutdownPrivilege 5044 WMIC.exe Token: SeDebugPrivilege 5044 WMIC.exe Token: SeSystemEnvironmentPrivilege 5044 WMIC.exe Token: SeRemoteShutdownPrivilege 5044 WMIC.exe Token: SeUndockPrivilege 5044 WMIC.exe Token: SeManageVolumePrivilege 5044 WMIC.exe Token: 33 5044 WMIC.exe Token: 34 5044 WMIC.exe Token: 35 5044 WMIC.exe Token: 36 5044 WMIC.exe Token: SeIncreaseQuotaPrivilege 5044 WMIC.exe Token: SeSecurityPrivilege 5044 WMIC.exe Token: SeTakeOwnershipPrivilege 5044 WMIC.exe Token: SeLoadDriverPrivilege 5044 WMIC.exe Token: SeSystemProfilePrivilege 5044 WMIC.exe Token: SeSystemtimePrivilege 5044 WMIC.exe Token: SeProfSingleProcessPrivilege 5044 WMIC.exe Token: SeIncBasePriorityPrivilege 5044 WMIC.exe Token: SeCreatePagefilePrivilege 5044 WMIC.exe Token: SeBackupPrivilege 5044 WMIC.exe Token: SeRestorePrivilege 5044 WMIC.exe Token: SeShutdownPrivilege 5044 WMIC.exe Token: SeDebugPrivilege 5044 WMIC.exe Token: SeSystemEnvironmentPrivilege 5044 WMIC.exe Token: SeRemoteShutdownPrivilege 5044 WMIC.exe Token: SeUndockPrivilege 5044 WMIC.exe Token: SeManageVolumePrivilege 5044 WMIC.exe Token: 33 5044 WMIC.exe Token: 34 5044 WMIC.exe Token: 35 5044 WMIC.exe Token: 36 5044 WMIC.exe Token: SeIncreaseQuotaPrivilege 3788 WMIC.exe Token: SeSecurityPrivilege 3788 WMIC.exe Token: SeTakeOwnershipPrivilege 3788 WMIC.exe Token: SeLoadDriverPrivilege 3788 WMIC.exe Token: SeSystemProfilePrivilege 3788 WMIC.exe Token: SeSystemtimePrivilege 3788 WMIC.exe Token: SeProfSingleProcessPrivilege 3788 WMIC.exe Token: SeIncBasePriorityPrivilege 3788 WMIC.exe Token: SeCreatePagefilePrivilege 3788 WMIC.exe Token: SeBackupPrivilege 3788 WMIC.exe Token: SeRestorePrivilege 3788 WMIC.exe Token: SeShutdownPrivilege 3788 WMIC.exe Token: SeDebugPrivilege 3788 WMIC.exe Token: SeSystemEnvironmentPrivilege 3788 WMIC.exe Token: SeRemoteShutdownPrivilege 3788 WMIC.exe Token: SeUndockPrivilege 3788 WMIC.exe Token: SeManageVolumePrivilege 3788 WMIC.exe Token: 33 3788 WMIC.exe Token: 34 3788 WMIC.exe Token: 35 3788 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 5796 msiexec.exe 5796 msiexec.exe 1396 msiexec.exe 1396 msiexec.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe 4384 iIoAogAY.exe -
Suspicious use of SendNotifyMessage 44 IoCs
pid Process 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 6960 Process not Found 6960 Process not Found 6960 Process not Found 6960 Process not Found 6960 Process not Found 6960 Process not Found 6960 Process not Found 6960 Process not Found 6960 Process not Found 6960 Process not Found 6960 Process not Found 6960 Process not Found 6960 Process not Found 6960 Process not Found 6960 Process not Found 6960 Process not Found 6960 Process not Found 6960 Process not Found 6960 Process not Found 6960 Process not Found 6960 Process not Found 6960 Process not Found 6960 Process not Found 6960 Process not Found -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 3544 @[email protected] 3544 @[email protected] 5144 @[email protected] 5144 @[email protected] 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 4612 @[email protected] 4612 @[email protected] 4788 @[email protected] 5044 @[email protected] 2732 @[email protected] 4816 @[email protected] 2096 @[email protected] 4952 @[email protected] 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 5972 @[email protected] 3424 firefox.exe 3424 firefox.exe 3424 firefox.exe 5936 @[email protected] 544 OpenWith.exe 544 OpenWith.exe 544 OpenWith.exe 544 OpenWith.exe 544 OpenWith.exe 544 OpenWith.exe 544 OpenWith.exe 544 OpenWith.exe 544 OpenWith.exe 544 OpenWith.exe 544 OpenWith.exe 3400 Process not Found 640 Process not Found 640 Process not Found 640 Process not Found 640 Process not Found 3956 Process not Found 5864 Process not Found 3760 Process not Found 3140 Process not Found 3140 Process not Found 3140 Process not Found 5488 Process not Found 3684 Process not Found 3684 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4684 wrote to memory of 3424 4684 firefox.exe 83 PID 4684 wrote to memory of 3424 4684 firefox.exe 83 PID 4684 wrote to memory of 3424 4684 firefox.exe 83 PID 4684 wrote to memory of 3424 4684 firefox.exe 83 PID 4684 wrote to memory of 3424 4684 firefox.exe 83 PID 4684 wrote to memory of 3424 4684 firefox.exe 83 PID 4684 wrote to memory of 3424 4684 firefox.exe 83 PID 4684 wrote to memory of 3424 4684 firefox.exe 83 PID 4684 wrote to memory of 3424 4684 firefox.exe 83 PID 4684 wrote to memory of 3424 4684 firefox.exe 83 PID 4684 wrote to memory of 3424 4684 firefox.exe 83 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 2924 3424 firefox.exe 84 PID 3424 wrote to memory of 5060 3424 firefox.exe 85 PID 3424 wrote to memory of 5060 3424 firefox.exe 85 PID 3424 wrote to memory of 5060 3424 firefox.exe 85 PID 3424 wrote to memory of 5060 3424 firefox.exe 85 PID 3424 wrote to memory of 5060 3424 firefox.exe 85 PID 3424 wrote to memory of 5060 3424 firefox.exe 85 PID 3424 wrote to memory of 5060 3424 firefox.exe 85 PID 3424 wrote to memory of 5060 3424 firefox.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 5 IoCs
pid Process 1896 attrib.exe 5876 attrib.exe 6104 attrib.exe 5428 attrib.exe 4940 attrib.exe
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://gitlab.com/3000IQPlay/Grim-3.0"1⤵
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://gitlab.com/3000IQPlay/Grim-3.02⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2040 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1948 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d90d2196-5302-4390-84c8-07777668b6dc} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" gpu3⤵PID:2924
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2324 -parentBuildID 20240401114208 -prefsHandle 2448 -prefMapHandle 2444 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01333039-f731-4b04-899d-a1fc43e77512} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" socket3⤵PID:5060
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3012 -childID 1 -isForBrowser -prefsHandle 2756 -prefMapHandle 2748 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {575fd2cd-7d25-44a6-9b4c-310b4dad7f98} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" tab3⤵PID:4436
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1592 -childID 2 -isForBrowser -prefsHandle 3536 -prefMapHandle 3672 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ead2d761-dd57-43da-9900-996ae0eff5ee} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" tab3⤵PID:2744
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4700 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4792 -prefMapHandle 4780 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c271b327-bf9b-4cc7-869b-7f45531b1fd3} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" utility3⤵
- Checks processor information in registry
PID:696
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5416 -childID 3 -isForBrowser -prefsHandle 5408 -prefMapHandle 5404 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97b3eb1a-ded3-472e-90d1-ccc42bed30a0} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" tab3⤵PID:2288
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5564 -childID 4 -isForBrowser -prefsHandle 5196 -prefMapHandle 5276 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {860e9e06-effc-4ffc-a8f4-c41191b5423d} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" tab3⤵PID:3420
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5804 -childID 5 -isForBrowser -prefsHandle 5724 -prefMapHandle 5728 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3bb6ef9b-7adc-4d69-be8d-c7aa5fb70997} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" tab3⤵PID:1240
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6504 -parentBuildID 20240401114208 -prefsHandle 1472 -prefMapHandle 1468 -prefsLen 30572 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {62940dba-503d-412c-8728-442e560a327c} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" rdd3⤵PID:4072
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6580 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 2836 -prefMapHandle 2820 -prefsLen 30572 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9819064-0443-4d43-b49f-f5849294e9ed} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" utility3⤵
- Checks processor information in registry
PID:5004
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6948 -childID 6 -isForBrowser -prefsHandle 3688 -prefMapHandle 6928 -prefsLen 28038 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ad1ba7f-8b9b-49dc-873d-8e93c73154b2} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" tab3⤵PID:3772
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7128 -childID 7 -isForBrowser -prefsHandle 6716 -prefMapHandle 7192 -prefsLen 30572 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04cce0f5-5628-44ef-a995-bf020981c857} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" tab3⤵PID:5456
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7020 -childID 8 -isForBrowser -prefsHandle 7016 -prefMapHandle 2900 -prefsLen 28038 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72eb64b9-cdbe-4df5-adba-45f926a1d4c6} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" tab3⤵PID:5188
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4764
-
C:\Users\Admin\Desktop\GrimDownloader.exe"C:\Users\Admin\Desktop\GrimDownloader.exe"1⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid2⤵PID:1268
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib -h -s "C:\Users\Admin\AppData\Roaming\.feather\user-mods\1.20.1-fabric\Noxesium-v1_20_1-1.0.3.jar"2⤵PID:1820
-
C:\Windows\system32\attrib.exeattrib -h -s "C:\Users\Admin\AppData\Roaming\.feather\user-mods\1.20.1-fabric\Noxesium-v1_20_1-1.0.3.jar"3⤵
- Views/modifies file attributes
PID:1896
-
-
-
C:\Users\Admin\Desktop\GrimDownloader.exe"C:\Users\Admin\Desktop\GrimDownloader.exe"1⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid2⤵PID:3980
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3788
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\ResolveRegister.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵PID:864
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\62f635de91c045ad987d6ca747efc4c1 /t 3980 /p 8641⤵PID:4304
-
C:\Users\Admin\Desktop\GrimDownloader.exe"C:\Users\Admin\Desktop\GrimDownloader.exe"1⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid2⤵PID:1080
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵PID:2168
-
-
-
C:\Users\Admin\Desktop\GrimDownloader.exe"C:\Users\Admin\Desktop\GrimDownloader.exe"1⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid2⤵PID:4756
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵PID:4968
-
-
-
C:\Users\Admin\Desktop\[email protected]"C:\Users\Admin\Desktop\[email protected]"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2248
-
C:\Users\Admin\Desktop\[email protected]PID:5392
-
C:\Users\Admin\Desktop\[email protected]"C:\Users\Admin\Desktop\[email protected]"1⤵
- Drops startup file
- Sets desktop wallpaper using registry
PID:5748 -
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- Views/modifies file attributes
PID:5876
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5740
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:5512
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 312581723217560.bat2⤵PID:6132
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs3⤵PID:2796
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s F:\$RECYCLE2⤵
- Views/modifies file attributes
PID:6104
-
-
C:\Users\Admin\Desktop\@[email protected]PID:3544
-
C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:824
-
-
-
C:\Windows\SysWOW64\cmd.exePID:1704
-
C:\Users\Admin\Desktop\@[email protected]PID:5144
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵PID:2732
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵PID:4736
-
-
-
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:1956
-
-
C:\Users\Admin\Desktop\taskse.exePID:3792
-
-
C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4612
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "fnnvghpejgiq616" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f2⤵PID:4972
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "fnnvghpejgiq616" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f3⤵
- Adds Run key to start application
PID:4484
-
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3744
-
-
C:\Users\Admin\Desktop\taskse.exePID:4972
-
-
C:\Users\Admin\Desktop\@[email protected]PID:4788
-
-
C:\Users\Admin\Desktop\taskse.exePID:5920
-
-
C:\Users\Admin\Desktop\@[email protected]PID:5044
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3512
-
-
C:\Users\Admin\Desktop\taskse.exePID:5592
-
-
C:\Users\Admin\Desktop\@[email protected]PID:2732
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:1536
-
-
C:\Users\Admin\Desktop\taskse.exePID:4372
-
-
C:\Users\Admin\Desktop\@[email protected]PID:4952
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:4956
-
-
C:\Users\Admin\Desktop\taskse.exePID:4528
-
-
C:\Users\Admin\Desktop\@[email protected]PID:5972
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:4704
-
-
C:\Users\Admin\Desktop\taskse.exePID:4012
-
-
C:\Users\Admin\Desktop\@[email protected]PID:5936
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:5880
-
-
C:\Users\Admin\Desktop\GrimDownloader.exe"C:\Users\Admin\Desktop\GrimDownloader.exe"1⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid2⤵PID:5904
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵PID:4308
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1576
-
C:\Users\Admin\Desktop\[email protected]PID:4404
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5396 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵PID:2112
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵PID:5588
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1670894837 && exit"3⤵PID:6012
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1670894837 && exit"4⤵
- Scheduled Task/Job: Scheduled Task
PID:5260
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 15:51:003⤵PID:3540
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 15:51:004⤵
- Scheduled Task/Job: Scheduled Task
PID:536
-
-
-
C:\Windows\329C.tmp"C:\Windows\329C.tmp" \\.\pipe\{CD0A64BF-380B-490C-9CEE-7839B9834691}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4496
-
-
-
C:\Users\Admin\Desktop\[email protected]PID:1820
-
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- Views/modifies file attributes
PID:5428
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1104
-
-
C:\Users\Admin\Desktop\[email protected]PID:4100
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2556
-
-
C:\Users\Public\Desktop\@[email protected]"C:\Users\Public\Desktop\@[email protected]"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4816
-
C:\Users\Admin\Desktop\@[email protected]"C:\Users\Admin\Desktop\@[email protected]"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2096
-
C:\Users\Admin\Desktop\taskdl.exe"C:\Users\Admin\Desktop\taskdl.exe"1⤵
- Executes dropped EXE
PID:1524
-
C:\Users\Admin\Desktop\taskse.exe"C:\Users\Admin\Desktop\taskse.exe"1⤵
- Executes dropped EXE
PID:5192
-
C:\Users\Admin\Desktop\[email protected]PID:3948
-
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- Views/modifies file attributes
PID:4940
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:3880
-
-
C:\Users\Admin\Desktop\[email protected]PID:5220
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:5360
-
-
C:\Users\Admin\Desktop\[email protected]PID:5492
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\Desktop\[email protected] SETUPEXEDIR=C:\Users\Admin\Desktop\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "2⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:5796
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Modifies WinLogon for persistence
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5192 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BE651FCDC6DD2BC7009317E82FB03F0E2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5156
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 18AE733B92DC2380D6E1B6CBC1F6C814 E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:5364
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1F8DC7DC6EDDF269966832DF48BD18582⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5096
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 200F8D2EF288978E05A632D55E3C2A2E E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:5644
-
-
C:\Users\Admin\Desktop\[email protected]PID:4924
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\Desktop\[email protected] SETUPEXEDIR=C:\Users\Admin\Desktop\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "2⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:1396
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2072 -
C:\Users\Admin\ReswEQAM\meAIcMQI.exe"C:\Users\Admin\ReswEQAM\meAIcMQI.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4884
-
-
C:\ProgramData\pioAIkgs\iIoAogAY.exe"C:\ProgramData\pioAIkgs\iIoAogAY.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4384
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"2⤵PID:2320
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"4⤵PID:5884
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"6⤵PID:3168
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"8⤵PID:5620
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1800 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"10⤵PID:5248
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"12⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"14⤵PID:5076
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5204 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"16⤵PID:1268
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom17⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"18⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom19⤵
- Executes dropped EXE
PID:6104 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"20⤵PID:5324
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom21⤵
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"22⤵PID:5564
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom23⤵
- Executes dropped EXE
PID:5344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"24⤵PID:1500
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom25⤵
- Executes dropped EXE
PID:5204 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"26⤵PID:4468
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom27⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"28⤵PID:5404
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom29⤵
- Executes dropped EXE
PID:5960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"30⤵PID:5796
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom31⤵
- Executes dropped EXE
PID:4100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"32⤵PID:5220
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV133⤵PID:4592
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom33⤵
- Executes dropped EXE
PID:4264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"34⤵PID:4700
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom35⤵
- Executes dropped EXE
PID:5204 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"36⤵PID:2792
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom37⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"38⤵PID:3124
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom39⤵
- Executes dropped EXE
PID:5660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"40⤵PID:5948
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom41⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"42⤵
- System Location Discovery: System Language Discovery
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom43⤵
- Executes dropped EXE
PID:6100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"44⤵PID:1800
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom45⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"46⤵PID:5740
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom47⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"48⤵PID:5184
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom49⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"50⤵PID:6004
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom51⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"52⤵PID:1536
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom53⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"54⤵PID:5200
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV155⤵PID:5404
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom55⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"56⤵PID:5512
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom57⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"58⤵PID:5864
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom59⤵PID:5660
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"60⤵PID:1268
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom61⤵PID:4876
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"62⤵PID:5196
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom63⤵PID:3404
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"64⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom65⤵PID:5968
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"66⤵PID:5292
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom67⤵PID:5336
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"68⤵PID:3852
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom69⤵PID:5660
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"70⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom71⤵PID:6036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"72⤵PID:924
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom73⤵PID:2908
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"74⤵PID:2072
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV175⤵PID:5364
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom75⤵PID:4792
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"76⤵PID:5960
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom77⤵PID:5032
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"78⤵PID:624
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom79⤵PID:5376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"80⤵PID:1800
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom81⤵PID:1100
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"82⤵PID:5492
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom83⤵PID:1608
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"84⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom85⤵PID:5312
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"86⤵PID:5652
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom87⤵PID:5944
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"88⤵
- System Location Discovery: System Language Discovery
PID:5252 -
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom89⤵PID:5236
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"90⤵PID:1124
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom91⤵PID:1068
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"92⤵PID:5988
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom93⤵PID:2420
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"94⤵PID:6056
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom95⤵PID:4984
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"96⤵PID:5404
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom97⤵PID:5316
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"98⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom99⤵PID:5924
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"100⤵PID:5640
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom101⤵PID:5184
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"102⤵PID:3232
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom103⤵PID:4600
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"104⤵PID:5564
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom105⤵PID:2184
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"106⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom107⤵PID:2528
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"108⤵PID:6076
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom109⤵PID:3388
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"110⤵PID:3968
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom111⤵
- Adds Run key to start application
PID:3688 -
C:\Users\Admin\COQYYQgI\TuMwwcEg.exe"C:\Users\Admin\COQYYQgI\TuMwwcEg.exe"112⤵PID:1268
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 228113⤵
- Program crash
PID:4908
-
-
-
C:\ProgramData\secUIYwY\EcgwwgMo.exe"C:\ProgramData\secUIYwY\EcgwwgMo.exe"112⤵PID:6140
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6140 -s 224113⤵
- Program crash
PID:684
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"112⤵PID:1396
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom113⤵PID:5740
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"114⤵PID:2564
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom115⤵PID:5888
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"116⤵PID:5344
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom117⤵PID:4332
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"118⤵PID:5000
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom119⤵PID:3272
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"120⤵PID:1268
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom121⤵PID:456
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-