Overview
overview
10Static
static
100c3b09213f...3c.exe
windows7-x64
80dab0428b4...50.exe
windows7-x64
1014d09a259f...32.exe
windows7-x64
1016c49d6775...56.exe
windows7-x64
71d241bd0b7...f4.exe
windows7-x64
92.exe
windows7-x64
6287a6b75d1...ad.exe
windows7-x64
1035b0676421...82.exe
windows7-x64
1039deb2f02f...9f.exe
windows7-x64
84.exe
windows7-x64
74a0f399840...33.exe
windows7-x64
105.exe
windows7-x64
853bdaf567e...fc.exe
windows7-x64
76.exe
windows7-x64
5646677375b...36.exe
windows7-x64
96dfb9490b1...f8.exe
windows7-x64
67.exe
windows7-x64
1071a20e2700...db.exe
windows7-x64
3835b0ef8f5...35.exe
windows7-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows7-x64
3b15b78937c...ac.exe
windows7-x64
7$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows7-x64
3b3dc1bb1c7...1b.exe
windows7-x64
5b4e3091d31...81.exe
windows7-x64
10c1b35d3d70...c3.exe
windows7-x64
10caa5f52a78...78.exe
windows7-x64
10d2878de61f...0b.exe
windows7-x64
7dbadeff4af...30.exe
windows7-x64
10f5d893afc4...e9.exe
windows7-x64
9Analysis
-
max time kernel
32s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 13:09
Behavioral task
behavioral1
Sample
0c3b09213f642af5d6bca1708d167052f7fe198e5eced0e78584d8eb910b8d3c.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
0dab0428b414b0440288a12fbc20dab72339ef72ff5859e8c18d76dd8b169f50.exe
Resource
win7-20241010-en
Behavioral task
behavioral3
Sample
14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
16c49d677559071b3fc71fb4bb1a3c85cdcf7c4c27454010f69bb0bd04b1c456.exe
Resource
win7-20240708-en
Behavioral task
behavioral5
Sample
1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
2.exe
Resource
win7-20241010-en
Behavioral task
behavioral7
Sample
287a6b75d1776f89502a1fd0ec571adebff878becb0ebdcec703e8fc6e3885ad.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
Resource
win7-20241023-en
Behavioral task
behavioral9
Sample
39deb2f02fee04a430cff446b35b0984a66b563552775eb1309d35acca3a209f.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
4.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
5.exe
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
53bdaf567e302201ef06847d8914477e9a3852fc57d8e50606eab6bcdbdda8fc.exe
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
6.exe
Resource
win7-20240708-en
Behavioral task
behavioral15
Sample
646677375bc0ecaad279751d8d09220d5d44e20570548f8475f36803affda636.exe
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
7.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
71a20e270052665d18bc0fe4d1f9608e51f4fd427442e7abc3e5d43c4e987bdb.exe
Resource
win7-20240708-en
Behavioral task
behavioral19
Sample
835b0ef8f5cfdc2ca8c0d3deccbafc48604e4a5356f0104cedfdfa20b20c2735.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241023-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
b15b78937cd33dfaedef28385b293c92b999f37b2a97d01d516f6189a6afefac.exe
Resource
win7-20241023-en
Behavioral task
behavioral23
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
b3dc1bb1c72c6bda1a7508147b2c92021aa18eb99d419db7e8245f32979cd01b.exe
Resource
win7-20240903-en
Behavioral task
behavioral27
Sample
b4e3091d3119268dfc8ac3caf2d5d02fd4faa360f822a87b50110b805e465181.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
c1b35d3d70c59a66a35ab7e4981ee3459571af1e43997a334bac1c073485fec3.exe
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
caa5f52a7811c49ae830606f01fd70d846fe53e9858603886f504e984fb2bc78.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
d2878de61ff17b2ae8cd556a6935af332955f07acf1991ab30ddeba9a5ced20b.exe
Resource
win7-20240903-en
Behavioral task
behavioral31
Sample
dbadeff4af3fa7785d54d177db9608f24d405971cf642ca0759a203d9e895930.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9.exe
Resource
win7-20240903-en
General
-
Target
5.exe
-
Size
2.6MB
-
MD5
8795b9dc143cc722309f169b2c0d03dc
-
SHA1
9b059d1369cab7737df0e6a71c661538010c4a66
-
SHA256
378ecdd05f86116341b66cd65cc2099418df21fd4ae740b2bb7a172127fc6266
-
SHA512
725c65f51cd419fcb8423a5d527b22b179812b2dfb5bf2a54a1bf1330c64994a76f3ded5cdbc68cb42a09a59c4c78706ae7898b12aae52e56a1beec80967acea
-
SSDEEP
49152:Zkky3SUp+YA1iSuei6ZbSXo/LLAxjVH7fLxmal7+hUnWB:OFB0sV6Y4vgZ7LxmQyaI
Malware Config
Signatures
-
Drops file in Drivers directory 64 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\hidclass.sys cmd.exe File opened for modification C:\Windows\System32\drivers\it-IT\volmgrx.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\ja-JP\usbport.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\PEAuth.sys cmd.exe File opened for modification C:\Windows\System32\drivers\es-ES\scfilter.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\bfe.dll.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\usbrpm.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\Classpnp.sys cmd.exe File opened for modification C:\Windows\System32\drivers\es-ES\BrSerIb.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\es-ES\ndiscap.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\es-ES\pacer.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\es-ES\vwifibus.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\fr-FR\ndisuio.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\fr-FR\ohci1394.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\it-IT\mouhid.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\amdppm.sys cmd.exe File opened for modification C:\Windows\System32\drivers\vwifibus.sys cmd.exe File opened for modification C:\Windows\System32\drivers\it-IT\vwifibus.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\dxgmms1.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\hidbth.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\es-ES\acpi.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\fr-FR\mountmgr.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\fr-FR\vwifibus.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\FWPKCLNT.SYS cmd.exe File opened for modification C:\Windows\System32\drivers\it-IT\ataport.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\de-DE\amdppm.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\vdrvroot.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\es-ES\HdAudio.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\es-ES\pscr.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\it-IT\i8042prt.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\it-IT\mouclass.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\rdyboost.sys cmd.exe File opened for modification C:\Windows\System32\drivers\spldr.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\bthport.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\vdrvroot.sys cmd.exe File opened for modification C:\Windows\System32\drivers\udfs.sys cmd.exe File opened for modification C:\Windows\System32\drivers\ja-JP\GAGP30KX.SYS.mui cmd.exe File opened for modification C:\Windows\System32\drivers\ja-JP\isapnp.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\ja-JP\ws2ifsl.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\srvnet.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\ndisuio.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\ja-JP\fltmgr.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\wdf01000.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\es-ES\bthenum.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\es-ES\isapnp.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\it-IT\bthpan.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\ja-JP\usbhub.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\mrxsmb20.sys cmd.exe File opened for modification C:\Windows\System32\drivers\rdpwd.sys cmd.exe File opened for modification C:\Windows\System32\drivers\appid.sys cmd.exe File opened for modification C:\Windows\System32\drivers\UMDF\fr-FR\WUDFUsbccidDriver.dll.mui cmd.exe File opened for modification C:\Windows\System32\drivers\es-ES\fltmgr.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\it-IT\usbhub.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\ja-JP\disk.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\ja-JP\NV_AGP.SYS.mui cmd.exe File opened for modification C:\Windows\System32\drivers\de-DE\pscr.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\qwavedrv.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\es-ES\volmgrx.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\it-IT\BrSerIb.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\it-IT\pscr.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\ja-JP\scsiport.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf cmd.exe File opened for modification C:\Windows\System32\drivers\volmgrx.sys cmd.exe File opened for modification C:\Windows\System32\drivers\de-DE\rdvgkmd.sys.mui cmd.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2224 takeown.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral12/memory/2180-12-0x000000013F320000-0x000000013F86A000-memory.dmp vmprotect behavioral12/memory/2180-13-0x000000013F320000-0x000000013F86A000-memory.dmp vmprotect behavioral12/memory/2180-447-0x000000013F320000-0x000000013F86A000-memory.dmp vmprotect -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Windows\assembly\Desktop.ini cmd.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Windows\BITLOC~1\autorun.inf cmd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\System32\d3d8thk.dll cmd.exe File opened for modification C:\Windows\System32\dbnmpntw.dll cmd.exe File opened for modification C:\Windows\System32\de-DE\pdh.dll.mui cmd.exe File opened for modification C:\Windows\System32\de-DE\shutdown.exe.mui cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\FILERE~1\AVC~1.INF\avc.sys cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\FILERE~1\AVERHB~1.INF\AVERHB~1.PNF cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\FILERE~1\HPOA1S~1.INF\hpoa1sd.PNF cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\FILERE~1\MDMCPQ~2.INF\mdmcpq2.inf cmd.exe File opened for modification C:\Windows\System32\de-DE\activeds.dll.mui cmd.exe File opened for modification C:\Windows\System32\de-DE\CSRR.rs.mui cmd.exe File opened for modification C:\Windows\System32\de-DE\mlang.dll.mui cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\FILERE~1\AVMX64~1.INF\c2.bin cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\FILERE~1\BRMFPO~1.INF\brmfport.PNF cmd.exe File opened for modification C:\Windows\System32\de-DE\Licenses\OEM\ULTIMA~1\license.rtf cmd.exe File opened for modification C:\Windows\System32\de-DE\nddeapi.dll.mui cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\de-DE\EhStorCertDrv.inf_loc cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\es-ES\adpu320.inf_loc cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\FILERE~1\BLBDRI~1.INF\blbdrive.inf cmd.exe File opened for modification C:\Windows\System32\cscapi.dll cmd.exe File opened for modification C:\Windows\System32\de-DE\wavemsp.dll.mui cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\FILERE~1\ATIRIO~1.INF\atiriol6.inf cmd.exe File opened for modification C:\Windows\System32\C_10029.NLS cmd.exe File opened for modification C:\Windows\System32\de-DE\mstscax.dll.mui cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\en-US\prngt003.inf_loc cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\FILERE~1\DC21X4~1.INF\dc21x4vm.sys cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\FILERE~1\MDMMHR~1.INF\mdmmhrtz.inf cmd.exe File opened for modification C:\Windows\System32\de-DE\imapi.dll.mui cmd.exe File opened for modification C:\Windows\System32\actxprxy.dll cmd.exe File opened for modification C:\Windows\System32\api-ms-win-core-ums-l1-1-0.dll cmd.exe File opened for modification C:\Windows\System32\api-ms-win-crt-environment-l1-1-0.dll cmd.exe File opened for modification C:\Windows\System32\de-DE\RestartManagerUninstall.mfl cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\de-DE\netl1c64.inf_loc cmd.exe File opened for modification C:\Windows\System32\de-DE\hlink.dll.mui cmd.exe File opened for modification C:\Windows\System32\de-DE\IPBusEnum.dll.mui cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\FILERE~1\DISPLA~1.INF\vgapnp.sys cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\FILERE~1\MDMBR0~2.INF\mdmbr004.inf cmd.exe File opened for modification C:\Windows\System32\amstream.dll cmd.exe File opened for modification C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll cmd.exe File opened for modification C:\Windows\System32\de-DE\MsiCofire.dll.mui cmd.exe File opened for modification C:\Windows\System32\de-DE\neth.dll.mui cmd.exe File opened for modification C:\Windows\System32\de-DE\printui.dll.mui cmd.exe File opened for modification C:\Windows\System32\comdlg32.dll cmd.exe File opened for modification C:\Windows\System32\cryptdlg.dll cmd.exe File opened for modification C:\Windows\System32\dhcpcsvc.dll cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\es-ES\netirda.inf_loc cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\FILERE~1\CXRAPT~1.INF\cxraptor_PhilipsTUV1236D_IBV64.inf cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\es-ES\smartcrd.inf_loc cmd.exe File opened for modification C:\Windows\System32\de-DE\cabview.dll.mui cmd.exe File opened for modification C:\Windows\System32\de-DE\Licenses\_Default\HOMEPR~2\license.rtf cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\es-ES\prnep00e.inf_loc cmd.exe File opened for modification C:\Windows\System32\de-DE\AxInstUI.exe.mui cmd.exe File opened for modification C:\Windows\System32\de-DE\wksprt.exe.mui cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\es-ES\netnvma.inf_loc cmd.exe File opened for modification C:\Windows\System32\da-DK\FntCache.dll.mui cmd.exe File opened for modification C:\Windows\System32\de-DE\wudfsvc.dll.mui cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\es-ES\wialx005.inf_loc cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\FILERE~1\ATIILH~2.INF\atikmdag.sys cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\FILERE~1\ATIRIO~1.INF\CTRL.s3 cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\de-DE\wd.inf_loc cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\es-ES\ksfilter.inf_loc cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\FILERE~1\CXFALC~1.INF\CXFALC~1.PNF cmd.exe File opened for modification C:\Windows\System32\chkntfs.exe cmd.exe File opened for modification C:\Windows\System32\de-DE\xrWPusd.dll.mui cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\en-US\prnhp004.inf_loc cmd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2180 5.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.5\fr\System.Management.Instrumentation.Resources.dll cmd.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Tracker\TURNON~2.GIF cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\SLIDES~1.GAD\de-DE\slideShow.html cmd.exe File opened for modification C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Games cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\SPEECH~1\MICROS~1\TTS20\it-IT\MSTTSLoc.dll.mui cmd.exe File opened for modification C:\PROGRA~2\WI54FB~1\es-ES\WMPDMC.exe.mui cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\RSSFEE~1.GAD\es-ES\js\settings.js cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\it-IT\js\library.js cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\PICTUR~1.GAD\de-DE\settings.html cmd.exe File opened for modification C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL cmd.exe File opened for modification C:\PROGRA~1\WI0FCF~1\en-US\NBMapTIP.dll.mui cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\CURREN~1.GAD\en-US\js\localizedStrings.js cmd.exe File opened for modification C:\PROGRA~2\COMMON~1\System\OLEDB~1\msdaps.dll cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\PICTUR~1.GAD\it-IT\gadget.xml cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\en-US\IpsMigrationPlugin.dll.mui cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\TabTip.exe cmd.exe File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Circle_ButtonGraphic.png cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\PICTUR~1.GAD\fr-FR\js\settings.js cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\PICTUR~1.GAD\fr-FR\settings.html cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\PICTUR~1.GAD\Images\settings_box_divider_left.png cmd.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\LINGUI~1\PROVID~1\PROXIM~1\11.00\usa37.hyp cmd.exe File opened for modification C:\PROGRA~3\MICROS~1\WINDOW~2\MSFax\COMMON~1\ja-JP\fyi.cov cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\STATIO~1\Seyes.emf cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\CURREN~1.GAD\ja-JP\gadget.xml cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\docked_black_moon-full_partly-cloudy.png cmd.exe File opened for modification C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\de\System.IO.Log.Resources.dll cmd.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\fr-FR\TipTsf.dll.mui cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\fr-FR\clock.html cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CPU~1.GAD\de-DE\cpu.html cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\144DPI\(144DPI)redStateIcon.png cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\docked_gray_hail.png cmd.exe File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\FlipPage\203x8subpicture.png cmd.exe File opened for modification C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.5\ja\System.Web.Entity.Resources.dll cmd.exe File opened for modification C:\PROGRA~1\WI54FB~1\de-DE\wmpnssci.dll.mui cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\MEDIAC~1.GAD\js\main.js cmd.exe File opened for modification C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.5\de\System.Data.DataSetExtensions.Resources.dll cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\PICTUR~1.GAD\Images\settings_box_bottom.png cmd.exe File opened for modification C:\PROGRA~1\WI54FB~1\es-ES\wmpnscfg.exe.mui cmd.exe File opened for modification C:\PROGRA~1\WINDOW~4\ImagingEngine.dll cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\es-ES\css\clock.css cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\images\flower.png cmd.exe File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Stacking\720_480shadow.png cmd.exe File opened for modification C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\es\UIAutomationTypes.resources.dll cmd.exe File opened for modification C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.5\es\System.Xml.Linq.Resources.dll cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\fr-FR\css\weather.css cmd.exe File opened for modification C:\PROGRA~2\WI54FB~1\MEDIAR~1\DMR_48.png cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\RSSFEE~1.GAD\images\rssBackBlue_docked.png cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CALEND~1.GAD\images\bg-desk.png cmd.exe File opened for modification C:\PROGRA~3\MICROS~1\DEVICE~1\Task\{E35BE~1\print_property.ico cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\it-IT\InputPersonalization.exe.mui cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\ja-JP\InkWatson.exe.mui cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\STATIO~1\Garden.htm cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\CURREN~1.GAD\images\graph_over.png cmd.exe File opened for modification C:\PROGRA~1\WINDOW~1\fr-FR\msoeres.dll.mui cmd.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\penkor.dll cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\undocked_black_moon-first-quarter_partly-cloudy.png cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\en-US\FlickLearningWizard.exe.mui cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\FSDEFI~1\main\base_kor.xml cmd.exe File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\BabyGirl\content-foreground.png cmd.exe File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\rectangle_babypink_Thumbnail.bmp cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\ja-JP\sbdrop.dll.mui cmd.exe File opened for modification C:\PROGRA~3\MICROS~1\DEVICE~1\Task\{07DEB~1\ringtones.ico cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\STATIO~1\Stucco.gif cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\SPEECH~1\MICROS~1\TTS20\ja-JP\MSTTSLoc.dll.mui cmd.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Help\mui\0407\perfmon.CHM cmd.exe File opened for modification C:\Windows\Help\mui\0409\mmc.CHM cmd.exe File opened for modification C:\Windows\ehome\de-DE\ehres.dll.mui cmd.exe File opened for modification C:\Windows\Media\CALLIG~1\Windows Notify.wav cmd.exe File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\JA\Microsoft.Build.Engine.resources.dll cmd.exe File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~2\V20~1.507\Microsoft.Build.Engine.dll cmd.exe File opened for modification C:\Windows\SERVIC~1\Packages\MI7854~1.CAT cmd.exe File opened for modification C:\Windows\DIAGNO~1\system\AERO\fr-FR\DiagPackage.dll.mui cmd.exe File opened for modification C:\Windows\DIAGNO~1\system\Power\it-IT\RS_ResetDisplayIdleTimeout.psd1 cmd.exe File opened for modification C:\Windows\DIAGNO~1\system\WINDOW~1\es-ES\DiagPackage.dll.mui cmd.exe File opened for modification C:\Windows\SERVIC~1\Packages\MI88A5~1.CAT cmd.exe File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\JA\System.Design.Resources.dll cmd.exe File opened for modification C:\Windows\POLICY~1\es-ES\AppCompat.adml cmd.exe File opened for modification C:\Windows\SERVIC~1\Packages\MIA71F~1.CAT cmd.exe File opened for modification C:\Windows\ehome\en-US\WTVConverter.exe.mui cmd.exe File opened for modification C:\Windows\Media\LANDSC~1\Windows Error.wav cmd.exe File opened for modification C:\Windows\Media\Raga\Windows Feed Discovered.wav cmd.exe File opened for modification C:\Windows\Help\Windows\en-US\safemodc.h1s cmd.exe File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\1031\CvtResUI.dll cmd.exe File opened for modification C:\Windows\POLICY~1\it-IT\UserDataBackup.adml cmd.exe File opened for modification C:\Windows\SERVIC~1\Packages\MID322~1.CAT cmd.exe File opened for modification C:\Windows\SERVIC~1\Packages\PA9023~1.CAT cmd.exe File opened for modification C:\Windows\Cursors\pen_im.cur cmd.exe File opened for modification C:\Windows\ehome\ehiUserXp.dll cmd.exe File opened for modification C:\Windows\ehome\ja-JP\ehres.dll.mui cmd.exe File opened for modification C:\Windows\POLICY~1\de-DE\NCSI.adml cmd.exe File opened for modification C:\Windows\POLICY~1\ja-JP\Securitycenter.adml cmd.exe File opened for modification C:\Windows\INSTAL~1\$PATCH~1\Managed\E8EBCC~1\4770C6~1.306\PENIMC~3.DLL cmd.exe File opened for modification C:\Windows\Media\LANDSC~1\Windows Print complete.wav cmd.exe File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~2\V20~1.507\normnfkc.nlp cmd.exe File opened for modification C:\Windows\SERVIC~1\Packages\MI413F~1.CAT cmd.exe File opened for modification C:\Windows\INSTAL~1\{90140~3\outicon.exe cmd.exe File opened for modification C:\Windows\POLICY~1\fr-FR\CredUI.adml cmd.exe File opened for modification C:\Windows\POLICY~1\fr-FR\WinCal.adml cmd.exe File opened for modification C:\Windows\Help\mui\040C\devmgr.CHM cmd.exe File opened for modification C:\Windows\Media\Heritage\Windows Critical Stop.wav cmd.exe File opened for modification C:\Windows\POLICY~1\it-IT\CredSsp.adml cmd.exe File opened for modification C:\Windows\POLICY~1\ja-JP\FramePanes.adml cmd.exe File opened for modification C:\Windows\SERVIC~1\Packages\MID728~1.MUM cmd.exe File opened for modification C:\Windows\SERVIC~1\Packages\WIAEB3~1.CAT cmd.exe File opened for modification C:\Windows\Help\Windows\es-ES\Windows_BestBet.H1K cmd.exe File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\CONFIG\web_lowtrust.config.default cmd.exe File opened for modification C:\Windows\POLICY~1\en-US\WinLogon.adml cmd.exe File opened for modification C:\Windows\Help\Windows\de-DE\hhomeue.h1s cmd.exe File opened for modification C:\Windows\Fonts\ega40woa.fon cmd.exe File opened for modification C:\Windows\Fonts\gulim.ttc cmd.exe File opened for modification C:\Windows\Help\mui\040C\scanmanagement.CHM cmd.exe File opened for modification C:\Windows\POLICY~1\DigitalLocker.admx cmd.exe File opened for modification C:\Windows\DIAGNO~1\system\AERO\TS_PowerPolicySetting.ps1 cmd.exe File opened for modification C:\Windows\inf\ndisuio.inf cmd.exe File opened for modification C:\Windows\PLA\Reports\fr-FR\Report.System.Memory.xml cmd.exe File opened for modification C:\Windows\POLICY~1\it-IT\Printing.adml cmd.exe File opened for modification C:\Windows\SERVIC~1\Packages\MID10D~1.MUM cmd.exe File opened for modification C:\Windows\inf\NETFRA~1\CORPerfMonSymbols.h cmd.exe File opened for modification C:\Windows\INSTAL~1\$PATCH~1\Managed\E8EBCC~1\4770C6~1.306\PRESEN~2.MUI cmd.exe File opened for modification C:\Windows\PLA\Reports\fr-FR\Report.System.Configuration.xml cmd.exe File opened for modification C:\Windows\Cursors\size2_r.cur cmd.exe File opened for modification C:\Windows\SERVIC~1\Packages\MIA4AD~1.CAT cmd.exe File opened for modification C:\Windows\POLICY~1\ja-JP\CEIPEnable.adml cmd.exe File opened for modification C:\Windows\POLICY~1\Sensors.admx cmd.exe File opened for modification C:\Windows\SERVIC~1\Packages\MI19D9~1.CAT cmd.exe File opened for modification C:\Windows\SERVIC~1\Packages\WI3386~1.CAT cmd.exe File opened for modification C:\Windows\inf\WINDOW~1.0\0411\PerfCounters_D.ini cmd.exe File opened for modification C:\Windows\SERVIC~1\Packages\MI9EB5~1.MUM cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
Kills process with taskkill 1 IoCs
pid Process 2080 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E0BF3961-A741-11EF-AA9E-527E38F5B48B} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 2928 reg.exe 804 reg.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2180 5.exe 2992 tskill.exe 2992 tskill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2080 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2388 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2388 iexplore.exe 2388 iexplore.exe 2780 IEXPLORE.EXE 2780 IEXPLORE.EXE 2780 IEXPLORE.EXE 2780 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2548 2180 5.exe 31 PID 2180 wrote to memory of 2548 2180 5.exe 31 PID 2180 wrote to memory of 2548 2180 5.exe 31 PID 2180 wrote to memory of 2360 2180 5.exe 32 PID 2180 wrote to memory of 2360 2180 5.exe 32 PID 2180 wrote to memory of 2360 2180 5.exe 32 PID 2180 wrote to memory of 2700 2180 5.exe 33 PID 2180 wrote to memory of 2700 2180 5.exe 33 PID 2180 wrote to memory of 2700 2180 5.exe 33 PID 2180 wrote to memory of 2388 2180 5.exe 34 PID 2180 wrote to memory of 2388 2180 5.exe 34 PID 2180 wrote to memory of 2388 2180 5.exe 34 PID 2388 wrote to memory of 2780 2388 iexplore.exe 35 PID 2388 wrote to memory of 2780 2388 iexplore.exe 35 PID 2388 wrote to memory of 2780 2388 iexplore.exe 35 PID 2388 wrote to memory of 2780 2388 iexplore.exe 35 PID 2180 wrote to memory of 1708 2180 5.exe 36 PID 2180 wrote to memory of 1708 2180 5.exe 36 PID 2180 wrote to memory of 1708 2180 5.exe 36 PID 1708 wrote to memory of 2224 1708 cmd.exe 37 PID 1708 wrote to memory of 2224 1708 cmd.exe 37 PID 1708 wrote to memory of 2224 1708 cmd.exe 37 PID 2180 wrote to memory of 2392 2180 5.exe 38 PID 2180 wrote to memory of 2392 2180 5.exe 38 PID 2180 wrote to memory of 2392 2180 5.exe 38 PID 2392 wrote to memory of 2080 2392 cmd.exe 39 PID 2392 wrote to memory of 2080 2392 cmd.exe 39 PID 2392 wrote to memory of 2080 2392 cmd.exe 39 PID 2180 wrote to memory of 2936 2180 5.exe 41 PID 2180 wrote to memory of 2936 2180 5.exe 41 PID 2180 wrote to memory of 2936 2180 5.exe 41 PID 2936 wrote to memory of 804 2936 cmd.exe 42 PID 2936 wrote to memory of 804 2936 cmd.exe 42 PID 2936 wrote to memory of 804 2936 cmd.exe 42 PID 2180 wrote to memory of 2384 2180 5.exe 43 PID 2180 wrote to memory of 2384 2180 5.exe 43 PID 2180 wrote to memory of 2384 2180 5.exe 43 PID 2384 wrote to memory of 2928 2384 cmd.exe 44 PID 2384 wrote to memory of 2928 2384 cmd.exe 44 PID 2384 wrote to memory of 2928 2384 cmd.exe 44 PID 2180 wrote to memory of 2524 2180 5.exe 45 PID 2180 wrote to memory of 2524 2180 5.exe 45 PID 2180 wrote to memory of 2524 2180 5.exe 45 PID 2524 wrote to memory of 2988 2524 cmd.exe 46 PID 2524 wrote to memory of 2988 2524 cmd.exe 46 PID 2524 wrote to memory of 2988 2524 cmd.exe 46 PID 2988 wrote to memory of 2992 2988 cmd.exe 47 PID 2988 wrote to memory of 2992 2988 cmd.exe 47 PID 2988 wrote to memory of 2992 2988 cmd.exe 47 PID 2180 wrote to memory of 2980 2180 5.exe 48 PID 2180 wrote to memory of 2980 2180 5.exe 48 PID 2180 wrote to memory of 2980 2180 5.exe 48 PID 2980 wrote to memory of 2340 2980 cmd.exe 49 PID 2980 wrote to memory of 2340 2980 cmd.exe 49 PID 2980 wrote to memory of 2340 2980 cmd.exe 49 PID 2180 wrote to memory of 2344 2180 5.exe 50 PID 2180 wrote to memory of 2344 2180 5.exe 50 PID 2180 wrote to memory of 2344 2180 5.exe 50 PID 2344 wrote to memory of 2420 2344 cmd.exe 51 PID 2344 wrote to memory of 2420 2344 cmd.exe 51 PID 2344 wrote to memory of 2420 2344 cmd.exe 51 PID 2180 wrote to memory of 2156 2180 5.exe 52 PID 2180 wrote to memory of 2156 2180 5.exe 52 PID 2180 wrote to memory of 2156 2180 5.exe 52
Processes
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @echo off2⤵PID:2548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color a2⤵PID:2360
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"2⤵PID:2700
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http:/www.google.com2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2388 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c takeown -f -s -q C:\*2⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\system32\takeown.exetakeown -f -s -q C:\*3⤵
- Modifies file permissions
PID:2224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM hal.dll2⤵
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\system32\taskkill.exetaskkill /F /IM hal.dll3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /f /d 12⤵
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\system32\reg.exereg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /f /d 13⤵
- Modifies registry key
PID:804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKCUTROLLAAJA TRIO2⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\system32\reg.exereg add HKCUTROLLAAJA TRIO3⤵
- Modifies registry key
PID:2928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd /c tskill hal.dll2⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\system32\cmd.execmd /c tskill hal.dll3⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\system32\tskill.exetskill hal.dll4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2992
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCR/.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\system32\reg.exereg delete HKCR/.exe3⤵PID:2340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCR/.dll2⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\system32\reg.exereg delete HKCR/.dll3⤵PID:2420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCR/*2⤵PID:2156
-
C:\Windows\system32\reg.exereg delete HKCR/*3⤵PID:2160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rd/s/q D:/2⤵PID:2796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rd/s/q C:\2⤵
- Drops file in Drivers directory
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2116
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5d545481fece8b83d37ebba674e6d8a85
SHA10444d7454900cf3298e6dddf1218c20bb31638a0
SHA25619725b783bedfe08909838406fe2e6b2150680fc9f76b6400c30d31dbe9c9bb3
SHA5126f1f8efb736a075a6f97dad552209bba6ffcfc8ac96567026e0c013fd6718ef408ea6cf3c7f020819c8cd63387dce44879e203744c84e1d92df8bf44f9e40807
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e5ba1a243a1ae78edfe25d23abf157ed
SHA1970ff2ee1f57697188673285e0a7d1d1c4e596f6
SHA25683849ffc2f68996347ce9678a506d53de4a8a78415f6ae57df4d0484b205ae4e
SHA512db4c617a915a0f32b1e99ba2dfb075fdb6031bb6eaae4244b31155311a8275b4e8271702d57d54c2e666b6925028481e42b7fc83a7d1003cf5d540cc9fa88dfc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51426bdb516dde69f3a31cffad69f05bc
SHA12fc9bc7d95bfa8d5481a14fd215d3161e617c4ad
SHA256de63e150a7307fd6d999870b2496bc498c976f8dc2b28ae0b1226383a120a2d1
SHA5124e73cf0801f20f24be53bfe8268bfd7bde52afd1380b417028749dce8fb28754c13f82e5b1ca838bb896b3a6c64c8802f9127c13c70e434f5c3b59738e54651c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5057c77a99f50b8483b18964a64272fb5
SHA10352be245ea444424550f944c21a7687622dca80
SHA2564a5cf5a31fb8f0d3e40e3227356adf6bd0ef9d530a7e7829d75a182a97d44a79
SHA512c342ef03ee39e944ace3be3de770ae23b2e516ba94aa7cd7325893b804e10dfdc06f4fe8dadaccf8d975018c1551205aab288dfe0b78e3416916ba6574902acd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f8e2ff0af311f99dee682c454eb9596b
SHA17962fae42536199a42700da8b7f2be43432ecd1e
SHA256ef7a54d8688d90b61cefc33ad0d88dca28392b57f622a913289b3f08edfd5960
SHA5126158bfb3e7020ccb5e69e42c50fb8aad8d9462a016876fcfa74a0490a0c8f693f595ff218bc014b11de439ad3e0ea3c31d7485b46fd66fd955a22c3910916044
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59c35af42da6b7180b550a58c067b63d0
SHA1e7536a22b6857a8bf3ef08c8f44ae57d5a97ed47
SHA256e12cd531123f68300d5761e126e91e8a8e494b1f793731dfefb06ffc502ce706
SHA512217f33ec8ef866410c1ce624f47ac5a4cf79928f5cd7d6943809e51b6beca3387a6464da1679ac8eba9cebc73955e6433020b65ee00f6c8c848e5776d16e3f80
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD576f506d7aa5ff9635fb2f13fd878fa72
SHA175939363916136af832e174a41890dd44913fefd
SHA25647abeb7570cf0b2c1de1a30e84af5d46f9c5279659ff675bd1637ada39c34077
SHA512de13da4795e24cea8cf35b8b0552765f2b03b5919adb96f7ec984e001b66d395913bde2e18a35088bdd7b34809121ca72d03197849b7fa0cb0f3d29e7f32bb12
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5181b139ae7bdbacb78ac5477cfd0ee79
SHA1f6d308da83cc6ca2896d8a2e3b9a7252c01b33a0
SHA256dd6e31238854cd6c338a16e337be3f0fb4fe407a3faa6fb650731559927e75bc
SHA512c4c0f9a32135b7a247b1589a806f8ff9e23f88870970f0e31690b2f2bed964020d153e25144fafd59f7fb963d94865f894f1ac82bc1a1840ed19dbef7672470a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56341da0263c7dc373513342b96fadb27
SHA1152ea9fea35d7671a5b79376d8314378ac281e1e
SHA256c97a2a82b280ccc4d40e3d579d2ddd4cdda0df707f5a40d104e77d37e5234200
SHA51223d1ce279b1d6be4ef5e9bec611461ecbc55620ff6b984ffc5c6e56e3127b100bf3388a27ce8aea86d1ba46e38c5e4f7b1f3d83f68681b1565041b3617c4dbb2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD597a89b88f0cf41486d96b86ef1f1e4c9
SHA15dc5e8ffd1aedc82b82d2ea0f512fa4d954919e8
SHA2564bf06b62c2b0a02284e46290390d603807d8949c07f61e080919efe182fa8568
SHA512c9a49524172fbcf945cc1a19467ad81fad6d1431fda7512b671266fef2e15c7b3d6e4e1c561da89d6553bc357053478151c16de74d6fcc4ecea6be36c3a43e28
-
Filesize
5KB
MD5d96ea5cdfb2d9d41424deeee83986196
SHA179e0885216cb7c9fe6b4095576012d41251a073e
SHA256f1da52c98ff3a5bf7dc1cd01be6703a52c38990acf4221b889c6fd3ff3ce6b97
SHA51284e01528ad87f03ef5660648b102d4e9decedd09ca3cfc756331f7f6756daf15f673662b2b197fe29af86f86d3054b866b251ba5ff9af81e53ceed4762128c54
-
Filesize
4KB
MD54428668f4e7d63a61070390e869d6ce1
SHA182343025fe2ac3d2190761498298fe894dcdf009
SHA2565892647864a03a8d49a854f7c867b013e79fa8c1e0b307af11cdd87884c14228
SHA512378c7c19b7521d1b130e1bd3d27893edc4514579789485bea777e030a1585aed532b7ef8ba8c42597e8d9fefa89de83b1ae5417a8b6a31fcba5c4076d91c3511
-
Filesize
3KB
MD5cb0a3c8ca7b0630bbf26122e1e886f75
SHA177974ce22c5153d4ee320d044dbcabcef71ae024
SHA2568e5de5335ab0a5be3b24cecd4472fbd13a08c4b3c61abcafe6fd1502b8ef5df2
SHA512d3b75adf15650dc1d8ff4b92322fec190657f941f048d85ed578b24457e242216563a0df87959edcfcb838e02498644d4fadd5df981cd953348e83a5c192a705
-
Filesize
8KB
MD53f57b781cb3ef114dd0b665151571b7b
SHA1ce6a63f996df3a1cccb81720e21204b825e0238c
SHA25646e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
SHA5128cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa
-
Filesize
2KB
MD5e3e4a98353f119b80b323302f26b78fa
SHA120ee35a370cdd3a8a7d04b506410300fd0a6a864
SHA2569466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66
SHA512d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee
-
Filesize
1KB
MD573c70b34b5f8f158d38a94b9d7766515
SHA1e9eaa065bd6585a1b176e13615fd7e6ef96230a9
SHA2563ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4
SHA512927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d
-
Filesize
1KB
MD5cdf81e591d9cbfb47a7f97a2bcdb70b9
SHA18f12010dfaacdecad77b70a3e781c707cf328496
SHA256204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd
SHA512977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
16KB
MD507c1119c89e8d27138529a61079307f2
SHA1693c57b8111766425256371aef32837771901118
SHA25684658464a1677eb52f893ab3470844abe99da9b3d5e26193208b3ef28f673d72
SHA5125493acc71e6d1d4c46e9596d20792f684fec02217e4fdbec53f647d22ffe9502d771bed4366bf8d7b146ad197f2fc53c058176fbcafc04f401cbf227f6842173
-
Filesize
16KB
MD502a6bfc0ccd0801c1dc8dd42bf53725e
SHA13bb5d96a9a998173923f842ecea63584282ce663
SHA256ac0a09b3f747ee74f12211440c35783868de2a5af56ae076492d4984ac3fa865
SHA5129c6221abdcf31bbedef1e5bbc27605e1c6c7d4044e41c50a397d77b8ed4d40815711f8a857fe602673bbd3c78edec0808c77c455ac813844d46023e6b07a1ef6
-
Filesize
16KB
MD5f85aa78c707f161e412770006679ff49
SHA1063f94f857de872579ffa5bd1f4b464d62657308
SHA2566279fe64993b1f8e9fe2514cf1e7dfbd3a3233d78abdc53523fb01f5daf1a3d3
SHA512c4ba87a1f1466afc916ef857cd708ccbc9170082237adf3c0a937754a0dd797e372f37f3df10987b182bb5e73174676c3196bbcba5c87d21cc70b907900a5bbf