jigsaw | hxxp://temp[.]sh/ennfh/trash_malware[.]zip

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	B71W07N8R46T0CO4X17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	S84R47C8A47L0SH6Y68.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	X01H48Z4W86R3WZ0Z87.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	U13T58D2E30D7AZ6H07.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	C37A87Y4F40I1JW5Z85.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	R31S01Y5U56Q0MI2J10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskdl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskdl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	V23R18X5W24F7YM3U36.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskdl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	W47I82V1P04V2PA6K37.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskse.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskdl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	G75H25V3I77U3OM1P46.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	X75N43K7E64V2IV0W12.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	O14U26L5P13Q5KX3O72.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskse.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskse.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	J16L62D3S46L5DL3R11.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	W52B34B2Q01J7IB3O00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	W64G07Q3V18O6YW0W88.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskse.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Z34B03E1K40Q0OS6K15.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Illerka.C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	S11M66P6S66T8PC1C61.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	K80N56J1M43T1TP8G51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	E00V61G7W08G2ZT0Q83.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry

Windows security bypass 2 TTPs 3 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	antivirus-platinum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	antivirus-platinum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	antivirus-platinum.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\Active Setup\Installed Components	INSTALLER.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\Active Setup\Installed Components	INSTALLER.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables RegEdit via registry modification 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	antivirus-platinum.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Possible privilege escalation attempt 3 IoCs

exploit

pid	Process
2536	icacls.exe
1668	takeown.exe
2064	icacls.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDD4E9.tmp	WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDD4FC.tmp	WannaCrypt0r.exe

Executes dropped EXE 64 IoCs

pid	Process
448	Zika.exe
2176	IconDance.exe
1312	FreeYoutubeDownloader.exe
3056	AntivirusPro2017.exe
896	Illerka.C.exe
768	XPAntivirus2008.exe
1240	AntivirusPlatinum.exe
3036	Bonzify.exe
2468	WannaCrypt0r.exe
2556	HappyAntivirus.exe
2084	icons.exe
1452	Jigsaw.exe
2112	gaben64.exe
1264	sweeney64.exe
1444	svchost.exe
1952	taskdl.exe
912	drpbx.exe
1800	302746537.exe
2124	taskhost.exe
2760	Free YouTube Downloader.exe
1268	svchost.exe
2940	@[email protected]
2460	antivirus-platinum.exe
1152	@[email protected]
2092	rhc51jj0e5aj.exe
2840	taskhost.exe
1312	svchost.exe
1304	S11M66P6S66T8PC1C61.exe
808	svchost.exe
324	O14U26L5P13Q5KX3O72.exe
3004	taskhost.exe
2820	svchost.exe
2572	INSTALLER.exe
1732	AgentSvr.exe
2224	INSTALLER.exe
936	taskdl.exe
2436	taskse.exe
1584	@[email protected]
2488	K80N56J1M43T1TP8G51.exe
2156	U13T58D2E30D7AZ6H07.exe
936	C37A87Y4F40I1JW5Z85.exe
2380	V23R18X5W24F7YM3U36.exe
2640	AgentSvr.exe
2104	taskse.exe
1716	@[email protected]
2040	taskdl.exe
1276	E00V61G7W08G2ZT0Q83.exe
1772	J16L62D3S46L5DL3R11.exe
1448	R31S01Y5U56Q0MI2J10.exe
1828	W47I82V1P04V2PA6K37.exe
1212	taskse.exe
780	@[email protected]
284	taskdl.exe
1588	W52B34B2Q01J7IB3O00.exe
2464	G75H25V3I77U3OM1P46.exe
2064	B71W07N8R46T0CO4X17.exe
2740	W64G07Q3V18O6YW0W88.exe
112	@[email protected]
2352	taskse.exe
1380	Z34B03E1K40Q0OS6K15.exe
612	X75N43K7E64V2IV0W12.exe
1732	taskdl.exe
1404	S84R47C8A47L0SH6Y68.exe
1440	X01H48Z4W86R3WZ0Z87.exe

Loads dropped DLL 64 IoCs

pid	Process
1108	cmd.exe
1108	cmd.exe
768	XPAntivirus2008.exe
768	XPAntivirus2008.exe
768	XPAntivirus2008.exe
448	Zika.exe
448	Zika.exe
768	XPAntivirus2008.exe
768	XPAntivirus2008.exe
2468	WannaCrypt0r.exe
2468	WannaCrypt0r.exe
2856	cscript.exe
448	Zika.exe
448	Zika.exe
1312	FreeYoutubeDownloader.exe
1312	FreeYoutubeDownloader.exe
448	Zika.exe
448	Zika.exe
2468	WannaCrypt0r.exe
2468	WannaCrypt0r.exe
2788	cmd.exe
768	XPAntivirus2008.exe
768	XPAntivirus2008.exe
768	XPAntivirus2008.exe
768	XPAntivirus2008.exe
2092	rhc51jj0e5aj.exe
2092	rhc51jj0e5aj.exe
2092	rhc51jj0e5aj.exe
768	XPAntivirus2008.exe
768	XPAntivirus2008.exe
768	XPAntivirus2008.exe
768	XPAntivirus2008.exe
768	XPAntivirus2008.exe
316	WerFault.exe
316	WerFault.exe
448	Zika.exe
448	Zika.exe
316	WerFault.exe
448	Zika.exe
448	Zika.exe
896	Illerka.C.exe
448	Zika.exe
448	Zika.exe
896	Illerka.C.exe
448	Zika.exe
448	Zika.exe
448	Zika.exe
448	Zika.exe
3036	Bonzify.exe
2572	INSTALLER.exe
2572	INSTALLER.exe
2572	INSTALLER.exe
2572	INSTALLER.exe
1904	regsvr32.exe
2088	regsvr32.exe
1196	regsvr32.exe
868	regsvr32.exe
2552	regsvr32.exe
1576	regsvr32.exe
2068	regsvr32.exe
2572	INSTALLER.exe
2572	INSTALLER.exe
1732	AgentSvr.exe
1732	AgentSvr.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2536	icacls.exe
1668	takeown.exe
2064	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 3 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	antivirus-platinum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	antivirus-platinum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	antivirus-platinum.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SMrhc51jj0e5aj = "C:\\Program Files (x86)\\rhc51jj0e5aj\\rhc51jj0e5aj.exe"	XPAntivirus2008.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	Jigsaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe"	FreeYoutubeDownloader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiVirus Pro 2017 = "C:\\Users\\Admin\\Downloads\\trash_malware\\trash malware\\AntivirusPro2017.exe"	AntivirusPro2017.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet"	INSTALLER.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 54 IoCs

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskdl.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	W52B34B2Q01J7IB3O00.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	B71W07N8R46T0CO4X17.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	X75N43K7E64V2IV0W12.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Illerka.C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	S11M66P6S66T8PC1C61.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskdl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	U13T58D2E30D7AZ6H07.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	V23R18X5W24F7YM3U36.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	G75H25V3I77U3OM1P46.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	X75N43K7E64V2IV0W12.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskdl.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	S11M66P6S66T8PC1C61.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	O14U26L5P13Q5KX3O72.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	K80N56J1M43T1TP8G51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	J16L62D3S46L5DL3R11.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	W47I82V1P04V2PA6K37.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	W64G07Q3V18O6YW0W88.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	W64G07Q3V18O6YW0W88.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskdl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskdl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	W47I82V1P04V2PA6K37.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskse.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	E00V61G7W08G2ZT0Q83.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	O14U26L5P13Q5KX3O72.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	K80N56J1M43T1TP8G51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskse.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	E00V61G7W08G2ZT0Q83.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskse.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskdl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	B71W07N8R46T0CO4X17.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskse.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskse.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	V23R18X5W24F7YM3U36.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	C37A87Y4F40I1JW5Z85.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	R31S01Y5U56Q0MI2J10.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskse.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	S84R47C8A47L0SH6Y68.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	S84R47C8A47L0SH6Y68.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	U13T58D2E30D7AZ6H07.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	R31S01Y5U56Q0MI2J10.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	G75H25V3I77U3OM1P46.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	C37A87Y4F40I1JW5Z85.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskdl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	W52B34B2Q01J7IB3O00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskse.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Z34B03E1K40Q0OS6K15.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Z34B03E1K40Q0OS6K15.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	X01H48Z4W86R3WZ0Z87.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	X01H48Z4W86R3WZ0Z87.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	J16L62D3S46L5DL3R11.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Illerka.C.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskdl.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskse.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\W:	AntivirusPro2017.exe
File opened (read-only)	\??\X:	AntivirusPro2017.exe
File opened (read-only)	\??\Y:	AntivirusPro2017.exe
File opened (read-only)	\??\K:	AntivirusPro2017.exe
File opened (read-only)	\??\L:	AntivirusPro2017.exe
File opened (read-only)	\??\H:	AntivirusPro2017.exe
File opened (read-only)	\??\J:	AntivirusPro2017.exe
File opened (read-only)	\??\M:	AntivirusPro2017.exe
File opened (read-only)	\??\O:	AntivirusPro2017.exe
File opened (read-only)	\??\Z:	AntivirusPro2017.exe
File opened (read-only)	\??\E:	AntivirusPro2017.exe
File opened (read-only)	\??\G:	AntivirusPro2017.exe
File opened (read-only)	\??\N:	AntivirusPro2017.exe
File opened (read-only)	\??\P:	AntivirusPro2017.exe
File opened (read-only)	\??\S:	AntivirusPro2017.exe
File opened (read-only)	\??\T:	AntivirusPro2017.exe
File opened (read-only)	\??\U:	AntivirusPro2017.exe
File opened (read-only)	\??\V:	AntivirusPro2017.exe
File opened (read-only)	\??\I:	AntivirusPro2017.exe
File opened (read-only)	\??\Q:	AntivirusPro2017.exe
File opened (read-only)	\??\R:	AntivirusPro2017.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	AntivirusPro2017.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SET42C0.tmp	INSTALLER.exe
File created	C:\Windows\SysWOW64\SET42C0.tmp	INSTALLER.exe
File opened for modification	C:\Windows\SysWOW64\msvcp50.dll	INSTALLER.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCrypt0r.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/0x002400000001ceb4-1105.dat	upx
behavioral4/memory/1800-1118-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral4/memory/2460-1897-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral4/memory/1800-1914-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral4/memory/2460-1994-0x0000000000400000-0x000000000040D000-memory.dmp	upx

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\rhc51jj0e5aj\database.dat	XPAntivirus2008.exe
File created	C:\Program Files (x86)\rhc51jj0e5aj\MFC71ENU.DLL	XPAntivirus2008.exe
File created	C:\Program Files (x86)\rhc51jj0e5aj\rhc51jj0e5aj.exe.local	XPAntivirus2008.exe
File created	C:\Program Files (x86)\rhc51jj0e5aj\Uninstall.exe	XPAntivirus2008.exe
File created	C:\Program Files (x86)\rhc51jj0e5aj\rhc51jj0e5aj.exe	XPAntivirus2008.exe
File created	C:\Program Files (x86)\rhc51jj0e5aj\msvcp71.dll	XPAntivirus2008.exe
File created	C:\Program Files (x86)\rhc51jj0e5aj\MFC71.dll	XPAntivirus2008.exe
File created	C:\Program Files (x86)\rhc51jj0e5aj\msvcr71.dll	XPAntivirus2008.exe
File created	C:\Program Files (x86)\rhc51jj0e5aj\license.txt	XPAntivirus2008.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32	wscript.exe
File opened for modification	C:\Windows\antivirus-platinum.exe	AntivirusPlatinum.exe
File opened for modification	C:\windows\antivirus-platinum.exe	attrib.exe
File created	C:\Windows\msagent\SET4012.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\mslwvtts.dll	INSTALLER.exe
File opened for modification	C:\Windows\help\SET4017.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET4019.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\help\SET42BD.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SET400F.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentSvr.exe	INSTALLER.exe
File created	C:\Windows\msagent\SET4011.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET4016.tmp	INSTALLER.exe
File created	C:\Windows\fonts\SET42BE.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET400D.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SET400D.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentAnm.dll	INSTALLER.exe
File opened for modification	C:\Windows\fonts\andmoipa.ttf	INSTALLER.exe
File created	C:\Windows\302746537.exe	AntivirusPlatinum.exe
File opened for modification	C:\Windows\msagent\SET400E.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SET4016.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\tv_enua.inf	INSTALLER.exe
File created	C:\Windows\notepad.dll.sys.exe	Zika.exe
File opened for modification	C:\Windows\COMCTL32.OCX	AntivirusPlatinum.exe
File opened for modification	C:\Windows\INF\agtinst.inf	INSTALLER.exe
File created	C:\Windows\help\SET4017.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgtCtl15.tlb	INSTALLER.exe
File created	C:\Windows\COMCTL32.OCX	AntivirusPlatinum.exe
File opened for modification	C:\Windows\msagent\SET4012.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\intl\SET4018.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\SET42BF.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\intl\Agt0409.dll	INSTALLER.exe
File created	C:\Windows\executables.bin	Bonzify.exe
File opened for modification	C:\Windows\msagent\AgentCtl.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentDp2.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET4011.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentSR.dll	INSTALLER.exe
File opened for modification	C:\Windows\help\Agt0409.hlp	INSTALLER.exe
File opened for modification	C:\Windows\302746537.exe	AntivirusPlatinum.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	INSTALLER.exe
File opened for modification	C:\Windows\fonts\SET42BE.tmp	INSTALLER.exe
File created	C:\Windows\msagent\chars\Bonzi.acs	Bonzify.exe
File opened for modification	C:\Windows\msagent\SET4013.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SET4019.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\help\tv_enua.hlp	INSTALLER.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	explorer.exe
File opened for modification	C:\Windows\notepad.dll.sys.exe	Zika.exe
File created	C:\Windows\msagent\SET400E.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET400F.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET4010.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentMPx.dll	INSTALLER.exe
File created	C:\Windows\lhsp\tv\SET42BC.tmp	INSTALLER.exe
File created	C:\Windows\INF\SET42BF.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET4014.tmp	INSTALLER.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe	explorer.exe
File created	C:\Windows\finalDestruction.bin	Bonzify.exe
File created	C:\Windows\antivirus-platinum.exe	AntivirusPlatinum.exe
File opened for modification	C:\Windows\MSCOMCTL.OCX	AntivirusPlatinum.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe	FreeYoutubeDownloader.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_259838666	AntivirusPlatinum.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe	FreeYoutubeDownloader.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\SET42AB.tmp	INSTALLER.exe
File created	C:\Windows\lhsp\tv\SET42AB.tmp	INSTALLER.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe	FreeYoutubeDownloader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
316	2092	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	J16L62D3S46L5DL3R11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AntivirusPlatinum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rhc51jj0e5aj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C37A87Y4F40I1JW5Z85.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentSvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	R31S01Y5U56Q0MI2J10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	W52B34B2Q01J7IB3O00.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B71W07N8R46T0CO4X17.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	X75N43K7E64V2IV0W12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Box.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCrypt0r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HappyAntivirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S84R47C8A47L0SH6Y68.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AntivirusPro2017.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antivirus-platinum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INSTALLER.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Z34B03E1K40Q0OS6K15.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	X01H48Z4W86R3WZ0Z87.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XPAntivirus2008.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	W64G07Q3V18O6YW0W88.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentSvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	G75H25V3I77U3OM1P46.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IconDance.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bonzify.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	O14U26L5P13Q5KX3O72.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E00V61G7W08G2ZT0Q83.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	U13T58D2E30D7AZ6H07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wsmprovhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zika.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral4/files/0x000500000001a4b9-600.dat	nsis_installer_1
behavioral4/files/0x000500000001a4b9-600.dat	nsis_installer_2
behavioral4/files/0x000500000001cb49-1963.dat	nsis_installer_1
behavioral4/files/0x000500000001cb49-1963.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1740	vssadmin.exe

Kills process with taskkill 1 IoCs

pid	Process
2892	taskkill.exe

Modifies Control Panel 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\s1159 = "Bolbi"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\s2359 = "Bolbi"	wscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Appearance\New Schemes\2\Sizes\0\Color #0 = "0"	Box.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\Colors\InfoWindow = "255 255 255"	Box.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	antivirus-platinum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "YOUR PC MAY BE INFECTED WITH SPYWARE OR OTHER MALICIOUS ITEMS"	antivirus-platinum.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	antivirus-platinum.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://secureservices2010.webs.com/scan"	antivirus-platinum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://secureservices2010.webs.com/scan"	antivirus-platinum.exe

Modifies data under HKEY_USERS 20 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-19\AppEvents\Schemes\Apps\.Default\SystemNotification\.Default\ = "%SystemRoot%\\media\\Windows Balloon.wav"	Box.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Apps\.Default\CriticalBatteryAlarm\Characters\ = "C:\\Windows\\Media\\Characters\\Windows Battery Critical.wav"	Box.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Control Panel\Desktop\Colors\GrayText = "128 128 128"	Box.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	Box.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\AppEvents\Schemes\Apps\.Default\SystemAsterisk\Calligraphy\ = "C:\\Windows\\Media\\Balligraphy\\Windows Error.wav"	Box.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\AppEvents\Schemes\Apps\Explorer\Navigating\Calligraphy\ = "C:\\Windows\\Media\\Calligraphy\\Windows Navigation Start.wav"	Box.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Console\ColorTable07 = "12632256"	Box.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Control Panel\International\s2359 = "PM"	Box.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\ime\IMTC70\NewChangJie.Modeless = "0x00000000"	Box.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2004 = "0"	Box.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WindowMetrics\MenuWidth = "-285"	Box.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\ListSvc.dll,-100 = "HomeGroup Listener"	Box.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Console\ColorTable01 = "8388608"	Box.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Apps\.Default\LowBatteryAlarm\Savanna\ = "C:\\Windows\\Media\\Savannb\\Windows Battery Low.wav"	Box.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PeerNet\CollabHost\ShowIcon = "1"	Box.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Apps\.Default\SystemNotification\Raga\ = "C:\\Windows\\Media\\Raga\\Windows Balloon.wav"	Box.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Apps\Explorer\FaxSent\Heritage\ = "C:\\Windows\\Media\\tada.wav"	Box.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Apps\sapisvr\HubOnSound\Calligraphy\ = "C:\\Windows\\Media\\Speech On.wav"	Box.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\IMEJP\10.0\MSIME\AutoCharWidth\SHARP = "151585536"	Box.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0"	Box.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6E17E84-DF38-11CF-8E74-00A0C90F26F8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F055-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5BE8BD1-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8563FF20-8ECC-11D1-B9B4-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9ED94442-E5E8-101B-B9B5-444553540000}\TypeLib\Version = "1.3"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE3E-8596-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE40-8596-11D1-B16A-00C0F0283628}\InprocServer32\ = "c:\\windows\\mscomctl.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE42-8596-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08DF952-8592-11D1-B16A-00C0F0283628}\ = "ISlider"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5BE8BDD-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtlSpeechInput"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD4-7DE6-11D0-91FE-00C04FD701A5}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8D-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0713E8A2-850A-101B-AFC0-4210102A8DA7}\ = "Microsoft TreeView Control, version 5.0 (SP2)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Toolbar\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B8-8589-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA664-8594-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\ToolboxBitmap32\ = "C:\\Windows\\msagent\\AgentCtl.dll, 105"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9ED94440-E5E8-101B-B9B5-444553540000}\MiscStatus\1\ = "131473"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612A8624-0FB3-11CE-8747-524153480004}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\ProgID\ = "COMCTL.ProgCtrl.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE3A-8596-11D1-B16A-00C0F0283628}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE7-8583-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\ = "Microsoft Agent Control 1.5"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0913410-3B44-11D1-ACBA-00C04FD97575}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD1-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\ = "Microsoft ProgressBar Control, version 5.0 (SP2)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8A1-850A-101B-AFC0-4210102A8DA7}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E8E-DF38-11CF-8E74-00A0C90F26F8}\ = "ITreeView"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DA8D94-9D6A-101B-AFC0-4210102A8DA7}\TypeLib\Version = "1.3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Slider.2\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE3E-8596-11D1-B16A-00C0F0283628}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B77181C-D3EF-11D1-8500-00C04FA34A14}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0713E8D8-850A-101B-AFC0-4210102A8DA7}\InprocServer32\ = "c:\\windows\\comctl32.ocx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4D83601-895E-11D0-B0A6-000000000000}\ = "IListItems"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageListCtrl\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F26-8591-11D1-B16A-00C0F0283628}\ = "IImage"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A7B93CA0-7B81-11D0-AC5F-00C04FD97575}\TypeLib	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A7B93C8F-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612A8624-0FB3-11CE-8747-524153480004}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "1.3"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E944-850A-101B-AFC0-4210102A8DA7}\ = "ITab10"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7791BA40-E020-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B7E6391-850A-101B-AFC0-4210102A8DA7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF877892-E026-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DA8D91-9D6A-101B-AFC0-4210102A8DA7}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EC0AB1C0-6CAB-11CF-8998-00AA00688B10}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612A8624-0FB3-11CE-8747-524153480004}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7791BA50-E020-11CF-8E74-00A0C90F26F8}\ = "ITabs"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.TabStrip\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ProgCtrl\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6597-857C-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA40-E020-11CF-8E74-00A0C90F26F8}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DA8D8B-9D6A-101B-AFC0-4210102A8DA7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE34-8596-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B77181C-D3EF-11D1-8500-00C04FA34A14}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0713E8AE-850A-101B-AFC0-4210102A8DA7}\ = "IListItems10"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6BA90C01-3910-11D1-ACB3-00C04FD97575}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8563FF20-8ECC-11D1-B9B4-00C04FD97575}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9ED94440-E5E8-101B-B9B5-444553540000}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612A8624-0FB3-11CE-8747-524153480004}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E1B5150-DB62-11D0-A0D8-0080C7E7B78D}\TypeLib	regsvr32.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

defense_evasion spyware trojan

pid	Process
2908	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	@[email protected]
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	@[email protected]

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\trash_malware.zip:Zone.Identifier	firefox.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 11 IoCs

pid	Process
448	Zika.exe
2176	IconDance.exe
896	Illerka.C.exe
1312	FreeYoutubeDownloader.exe
768	XPAntivirus2008.exe
3056	AntivirusPro2017.exe
2556	HappyAntivirus.exe
1240	AntivirusPlatinum.exe
2084	icons.exe
3036	Bonzify.exe
2468	WannaCrypt0r.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
896	Illerka.C.exe
1304	S11M66P6S66T8PC1C61.exe
1304	S11M66P6S66T8PC1C61.exe
1304	S11M66P6S66T8PC1C61.exe
1304	S11M66P6S66T8PC1C61.exe
1304	S11M66P6S66T8PC1C61.exe
1304	S11M66P6S66T8PC1C61.exe
1304	S11M66P6S66T8PC1C61.exe
1304	S11M66P6S66T8PC1C61.exe
1304	S11M66P6S66T8PC1C61.exe
1304	S11M66P6S66T8PC1C61.exe
1304	S11M66P6S66T8PC1C61.exe
1304	S11M66P6S66T8PC1C61.exe
1304	S11M66P6S66T8PC1C61.exe
1304	S11M66P6S66T8PC1C61.exe
1304	S11M66P6S66T8PC1C61.exe
1304	S11M66P6S66T8PC1C61.exe
1304	S11M66P6S66T8PC1C61.exe
1304	S11M66P6S66T8PC1C61.exe
1304	S11M66P6S66T8PC1C61.exe
1304	S11M66P6S66T8PC1C61.exe
1304	S11M66P6S66T8PC1C61.exe
1304	S11M66P6S66T8PC1C61.exe
1304	S11M66P6S66T8PC1C61.exe
1304	S11M66P6S66T8PC1C61.exe
1304	S11M66P6S66T8PC1C61.exe
1304	S11M66P6S66T8PC1C61.exe
1304	S11M66P6S66T8PC1C61.exe
1304	S11M66P6S66T8PC1C61.exe
324	O14U26L5P13Q5KX3O72.exe
936	taskdl.exe
936	taskdl.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1952	explorer.exe
1108	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	firefox.exe
Token: SeDebugPrivilege	1956	firefox.exe
Token: SeDebugPrivilege	1956	firefox.exe
Token: 33	2344	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2344	AUDIODG.EXE
Token: 33	2344	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2344	AUDIODG.EXE
Token: SeRestorePrivilege	1904	7zG.exe
Token: 35	1904	7zG.exe
Token: SeSecurityPrivilege	1904	7zG.exe
Token: SeSecurityPrivilege	1904	7zG.exe
Token: SeDebugPrivilege	448	Zika.exe
Token: SeDebugPrivilege	2892	taskkill.exe
Token: SeDebugPrivilege	896	Illerka.C.exe
Token: SeDebugPrivilege	1304	S11M66P6S66T8PC1C61.exe
Token: SeDebugPrivilege	324	O14U26L5P13Q5KX3O72.exe
Token: SeBackupPrivilege	1628	vssvc.exe
Token: SeRestorePrivilege	1628	vssvc.exe
Token: SeAuditPrivilege	1628	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2348	WMIC.exe
Token: SeSecurityPrivilege	2348	WMIC.exe
Token: SeTakeOwnershipPrivilege	2348	WMIC.exe
Token: SeLoadDriverPrivilege	2348	WMIC.exe
Token: SeSystemProfilePrivilege	2348	WMIC.exe
Token: SeSystemtimePrivilege	2348	WMIC.exe
Token: SeProfSingleProcessPrivilege	2348	WMIC.exe
Token: SeIncBasePriorityPrivilege	2348	WMIC.exe
Token: SeCreatePagefilePrivilege	2348	WMIC.exe
Token: SeBackupPrivilege	2348	WMIC.exe
Token: SeRestorePrivilege	2348	WMIC.exe
Token: SeShutdownPrivilege	2348	WMIC.exe
Token: SeDebugPrivilege	2348	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2348	WMIC.exe
Token: SeRemoteShutdownPrivilege	2348	WMIC.exe
Token: SeUndockPrivilege	2348	WMIC.exe
Token: SeManageVolumePrivilege	2348	WMIC.exe
Token: 33	2348	WMIC.exe
Token: 34	2348	WMIC.exe
Token: 35	2348	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2348	WMIC.exe
Token: SeSecurityPrivilege	2348	WMIC.exe
Token: SeTakeOwnershipPrivilege	2348	WMIC.exe
Token: SeLoadDriverPrivilege	2348	WMIC.exe
Token: SeSystemProfilePrivilege	2348	WMIC.exe
Token: SeSystemtimePrivilege	2348	WMIC.exe
Token: SeProfSingleProcessPrivilege	2348	WMIC.exe
Token: SeIncBasePriorityPrivilege	2348	WMIC.exe
Token: SeCreatePagefilePrivilege	2348	WMIC.exe
Token: SeBackupPrivilege	2348	WMIC.exe
Token: SeRestorePrivilege	2348	WMIC.exe
Token: SeShutdownPrivilege	2348	WMIC.exe
Token: SeDebugPrivilege	2348	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2348	WMIC.exe
Token: SeRemoteShutdownPrivilege	2348	WMIC.exe
Token: SeUndockPrivilege	2348	WMIC.exe
Token: SeManageVolumePrivilege	2348	WMIC.exe
Token: 33	2348	WMIC.exe
Token: 34	2348	WMIC.exe
Token: 35	2348	WMIC.exe
Token: SeRestorePrivilege	2572	INSTALLER.exe
Token: SeRestorePrivilege	2572	INSTALLER.exe
Token: SeRestorePrivilege	2572	INSTALLER.exe
Token: SeRestorePrivilege	2572	INSTALLER.exe
Token: SeRestorePrivilege	2572	INSTALLER.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1956	firefox.exe
1956	firefox.exe
1956	firefox.exe
1956	firefox.exe
1904	7zG.exe
2556	HappyAntivirus.exe
3056	AntivirusPro2017.exe
3056	AntivirusPro2017.exe
3056	AntivirusPro2017.exe
2760	Free YouTube Downloader.exe
2640	AgentSvr.exe
3056	AntivirusPro2017.exe
3056	AntivirusPro2017.exe
3056	AntivirusPro2017.exe
2760	Free YouTube Downloader.exe
2556	HappyAntivirus.exe
2640	AgentSvr.exe
3056	AntivirusPro2017.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
3056	AntivirusPro2017.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
3056	AntivirusPro2017.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
3056	AntivirusPro2017.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
1956	firefox.exe
1956	firefox.exe
1956	firefox.exe
2556	HappyAntivirus.exe
3056	AntivirusPro2017.exe
3056	AntivirusPro2017.exe
3056	AntivirusPro2017.exe
2760	Free YouTube Downloader.exe
2640	AgentSvr.exe
3056	AntivirusPro2017.exe
3056	AntivirusPro2017.exe
3056	AntivirusPro2017.exe
2760	Free YouTube Downloader.exe
2556	HappyAntivirus.exe
2640	AgentSvr.exe
3056	AntivirusPro2017.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
3056	AntivirusPro2017.exe
3056	AntivirusPro2017.exe
3056	AntivirusPro2017.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1956	firefox.exe
1956	firefox.exe
1956	firefox.exe
3056	AntivirusPro2017.exe
3056	AntivirusPro2017.exe
2940	@[email protected]
2940	@[email protected]
2460	antivirus-platinum.exe
1152	@[email protected]
1152	@[email protected]
1584	@[email protected]
1584	@[email protected]
1716	@[email protected]
780	@[email protected]
112	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 1956	3064	firefox.exe	30
PID 3064 wrote to memory of 1956	3064	firefox.exe	30
PID 3064 wrote to memory of 1956	3064	firefox.exe	30
PID 3064 wrote to memory of 1956	3064	firefox.exe	30
PID 3064 wrote to memory of 1956	3064	firefox.exe	30
PID 3064 wrote to memory of 1956	3064	firefox.exe	30
PID 3064 wrote to memory of 1956	3064	firefox.exe	30
PID 3064 wrote to memory of 1956	3064	firefox.exe	30
PID 3064 wrote to memory of 1956	3064	firefox.exe	30
PID 3064 wrote to memory of 1956	3064	firefox.exe	30
PID 3064 wrote to memory of 1956	3064	firefox.exe	30
PID 3064 wrote to memory of 1956	3064	firefox.exe	30
PID 1956 wrote to memory of 1580	1956	firefox.exe	31
PID 1956 wrote to memory of 1580	1956	firefox.exe	31
PID 1956 wrote to memory of 1580	1956	firefox.exe	31
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2852	1956	firefox.exe	32
PID 1956 wrote to memory of 2356	1956	firefox.exe	33
PID 1956 wrote to memory of 2356	1956	firefox.exe	33
PID 1956 wrote to memory of 2356	1956	firefox.exe	33
PID 1956 wrote to memory of 2356	1956	firefox.exe	33
PID 1956 wrote to memory of 2356	1956	firefox.exe	33

System policy modification 1 TTPs 34 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskse.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	G75H25V3I77U3OM1P46.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskse.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskse.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "67108863"	antivirus-platinum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	C37A87Y4F40I1JW5Z85.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	W64G07Q3V18O6YW0W88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "ATTENTION!"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Illerka.C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	antivirus-platinum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	S11M66P6S66T8PC1C61.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskdl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskdl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	R31S01Y5U56Q0MI2J10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskse.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	X75N43K7E64V2IV0W12.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	J16L62D3S46L5DL3R11.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	W47I82V1P04V2PA6K37.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	W52B34B2Q01J7IB3O00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	K80N56J1M43T1TP8G51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	U13T58D2E30D7AZ6H07.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	B71W07N8R46T0CO4X17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskdl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	S84R47C8A47L0SH6Y68.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	X01H48Z4W86R3WZ0Z87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Your PC has been wrecked by Bolbi!"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	antivirus-platinum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	E00V61G7W08G2ZT0Q83.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskdl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Z34B03E1K40Q0OS6K15.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	antivirus-platinum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	O14U26L5P13Q5KX3O72.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	V23R18X5W24F7YM3U36.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 3 IoCs

Hidden Files and Directories

T1564.001

pid	Process
2140	attrib.exe
828	attrib.exe
1948	attrib.exe

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://temp.sh/ennfh/trash_malware.zip"
1⤵
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://temp.sh/ennfh/trash_malware.zip
  2⤵
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.0.407646310\1372225875" -parentBuildID 20221007134813 -prefsHandle 1208 -prefMapHandle 1200 -prefsLen 20769 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9623137e-8a2d-41e5-be3f-fcf06ea406e6} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 1288 10cd8e58 gpu
    3⤵
    PID:1580
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.1.1332135792\2034360136" -parentBuildID 20221007134813 -prefsHandle 1476 -prefMapHandle 1472 -prefsLen 21630 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {187a24b6-5bc6-4613-993e-6a5b148d172d} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 1488 d70158 socket
    3⤵
    - Checks processor information in registry
    PID:2852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.2.1906878381\575221609" -childID 1 -isForBrowser -prefsHandle 2080 -prefMapHandle 2076 -prefsLen 21668 -prefMapSize 233414 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf978e19-fdfd-4b98-8c44-e714de74a091} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 2092 1a3d1658 tab
    3⤵
    PID:2356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.3.1942411831\877844368" -childID 2 -isForBrowser -prefsHandle 2436 -prefMapHandle 2408 -prefsLen 26138 -prefMapSize 233414 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c680510-1172-491e-8cb3-f26a6f31de3c} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 2372 1b085858 tab
    3⤵
    PID:1936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.4.1771044412\1924715304" -childID 3 -isForBrowser -prefsHandle 3464 -prefMapHandle 3608 -prefsLen 26273 -prefMapSize 233414 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9eb038a2-525f-486b-82af-635ef377a55b} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 1088 1cc3ce58 tab
    3⤵
    PID:2244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.5.432937943\58552929" -childID 4 -isForBrowser -prefsHandle 3740 -prefMapHandle 3744 -prefsLen 26273 -prefMapSize 233414 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bba5744-a27b-499c-9142-61104f9fcccf} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 3728 1cc3d158 tab
    3⤵
    PID:396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.6.1977305689\767234424" -childID 5 -isForBrowser -prefsHandle 3904 -prefMapHandle 3908 -prefsLen 26273 -prefMapSize 233414 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5889e157-817a-48f2-98a7-8ca064aff5b3} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 3892 1cc3e658 tab
    3⤵
    PID:612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.7.1432875337\1525909406" -childID 6 -isForBrowser -prefsHandle 2200 -prefMapHandle 2136 -prefsLen 26448 -prefMapSize 233414 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bf38c8c-03c5-45bb-a681-3f81897ea191} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 2092 21090e58 tab
    3⤵
    PID:1560

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2764

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x530
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\trash_malware\" -spe -an -ai#7zMap20239:88:7zEvent12640
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1904

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Downloads\trash_malware\trash malware\stupidy fuckity malware.bat" "
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1108
- C:\Windows\system32\msg.exe
  msg * you did a mistake...
  2⤵
  PID:2236
- C:\Users\Admin\Downloads\trash_malware\trash malware\Zika.exe
  Zika.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  PID:448
- - C:\Users\Admin\AppData\Local\Temp\fc3c6bd844574cc3b13b9052481e6dae\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\fc3c6bd844574cc3b13b9052481e6dae\svchost.exe" -extract C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\fc3c6bd844574cc3b13b9052481e6dae\icons.rc, icongroup,,
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1444
- - C:\Users\Admin\AppData\Local\Temp\fc3c6bd844574cc3b13b9052481e6dae\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\fc3c6bd844574cc3b13b9052481e6dae\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\fc3c6bd844574cc3b13b9052481e6dae\icons.rc, C:\Users\Admin\AppData\Local\Temp\fc3c6bd844574cc3b13b9052481e6dae\icons.res
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2124
- - C:\Users\Admin\AppData\Local\Temp\fc3c6bd844574cc3b13b9052481e6dae\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\fc3c6bd844574cc3b13b9052481e6dae\svchost.exe" -extract C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\fc3c6bd844574cc3b13b9052481e6dae\icons.rc, icongroup,,
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1268
- - C:\Users\Admin\AppData\Local\Temp\fc3c6bd844574cc3b13b9052481e6dae\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\fc3c6bd844574cc3b13b9052481e6dae\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\fc3c6bd844574cc3b13b9052481e6dae\icons.rc, C:\Users\Admin\AppData\Local\Temp\fc3c6bd844574cc3b13b9052481e6dae\icons.res
    3⤵
    - Executes dropped EXE
    PID:2840
- - C:\Users\Admin\AppData\Local\Temp\fc3c6bd844574cc3b13b9052481e6dae\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\fc3c6bd844574cc3b13b9052481e6dae\svchost.exe" -addoverwrite C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe", "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe, C:\Users\Admin\AppData\Local\Temp\fc3c6bd844574cc3b13b9052481e6dae\icons.res, icongroup,,
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1312
- - C:\Users\Admin\AppData\Local\Temp\fc3c6bd844574cc3b13b9052481e6dae\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\fc3c6bd844574cc3b13b9052481e6dae\svchost.exe" -extract C:\@[email protected], C:\Users\Admin\AppData\Local\Temp\fc3c6bd844574cc3b13b9052481e6dae\icons.rc, icongroup,,
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:808
- - C:\Users\Admin\AppData\Local\Temp\fc3c6bd844574cc3b13b9052481e6dae\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\fc3c6bd844574cc3b13b9052481e6dae\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\fc3c6bd844574cc3b13b9052481e6dae\icons.rc, C:\Users\Admin\AppData\Local\Temp\fc3c6bd844574cc3b13b9052481e6dae\icons.res
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3004
- - C:\Users\Admin\AppData\Local\Temp\fc3c6bd844574cc3b13b9052481e6dae\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\fc3c6bd844574cc3b13b9052481e6dae\svchost.exe" -addoverwrite C:\@[email protected]", "C:\@[email protected], C:\Users\Admin\AppData\Local\Temp\fc3c6bd844574cc3b13b9052481e6dae\icons.res, icongroup,,
    3⤵
    - Executes dropped EXE
    PID:2820
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\trash_malware\trash malware\Bolbi.vbs"
  2⤵
  PID:2656
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Users\Admin\Downloads\trash_malware\trash malware\Bolbi.vbs" /elevated
    3⤵
    - Drops file in Windows directory
    - Modifies Control Panel
    - System policy modification
    PID:3064
- C:\Users\Admin\Downloads\trash_malware\trash malware\IconDance.exe
  IconDance.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2176
- C:\Users\Admin\Downloads\trash_malware\trash malware\Illerka.C.exe
  Illerka.C.exe
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:896
- - C:\Users\Admin\Downloads\trash_malware\trash malware\msg\S11M66P6S66T8PC1C61.exe
    "C:\Users\Admin\Downloads\trash_malware\trash malware\msg\S11M66P6S66T8PC1C61.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1304
- - C:\Users\Admin\Downloads\trash_malware\trash malware\TaskData\O14U26L5P13Q5KX3O72.exe
    "C:\Users\Admin\Downloads\trash_malware\trash malware\TaskData\O14U26L5P13Q5KX3O72.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:324
- C:\Users\Admin\Downloads\trash_malware\trash malware\FreeYoutubeDownloader.exe
  FreeYoutubeDownloader.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1312
- - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
    "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2760
  - - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
      "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Modifies data under HKEY_USERS
      PID:2028
    - - C:\Windows\SysWOW64\wsmprovhost.exe
        
        "C:\Windows\SysWOW64\wsmprovhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:592
    - - C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe
        
        "C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2156
    - - C:\Windows\winsxs\wow64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_3eceef6140ec9728\printui.exe
        
        "C:\Windows\winsxs\wow64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_3eceef6140ec9728\printui.exe"
        5⤵
        
        PID:2072
    - - C:\Windows\SysWOW64\write.exe
        
        "C:\Windows\SysWOW64\write.exe"
        5⤵
        
        PID:1540
      - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        6⤵
        
        PID:1320
        
        C:\Windows\splwow64.exe
        
        C:\Windows\splwow64.exe 12288
        7⤵
        
        PID:2064
        
        C:\Windows\splwow64.exe
        
        C:\Windows\splwow64.exe 12288
        7⤵
        
        PID:1012
    - - C:\Windows\winsxs\amd64_microsoft-windows-s..restartup-baaupdate_31bf3856ad364e35_6.1.7600.16385_none_9243b833ecd918df\baaupdate.exe
        
        "C:\Windows\winsxs\amd64_microsoft-windows-s..restartup-baaupdate_31bf3856ad364e35_6.1.7600.16385_none_9243b833ecd918df\baaupdate.exe"
        5⤵
        
        PID:1400
- C:\Users\Admin\Downloads\trash_malware\trash malware\XPAntivirus2008.exe
  XPAntivirus2008.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:768
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B C:\Users\Admin\AppData\Local\Temp\pin.vbs "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Antivirus XP 2008" "Antivirus XP 2008.lnk"
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B C:\Users\Admin\AppData\Local\Temp\pin.vbs "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Antivirus XP 2008" "Register Antivirus XP 2008.lnk"
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c mpfo.bat "C:\Users\Admin\Downloads\trash_malware\trash malware\XPAntivirus2008.exe"
    3⤵
    PID:1000
- - C:\Program Files (x86)\rhc51jj0e5aj\rhc51jj0e5aj.exe
    "C:\Program Files (x86)\rhc51jj0e5aj\rhc51jj0e5aj.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2092
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 252
      4⤵
      Loads dropped DLL
      Program crash
      PID:316
- C:\Users\Admin\Downloads\trash_malware\trash malware\AntivirusPro2017.exe
  AntivirusPro2017.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3056
- C:\Users\Admin\Downloads\trash_malware\trash malware\HappyAntivirus.exe
  HappyAntivirus.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2556
- C:\Users\Admin\Downloads\trash_malware\trash malware\AntivirusPlatinum.exe
  AntivirusPlatinum.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1240
- - C:\WINDOWS\302746537.exe
    "C:\WINDOWS\302746537.exe"
    3⤵
    - Executes dropped EXE
    PID:1800
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\D549.tmp\302746537.bat" "
      4⤵
      PID:2060
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s c:\windows\comctl32.ocx
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1304
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s c:\windows\mscomctl.ocx
        5⤵
        Modifies registry class
        
        PID:2028
    - - \??\c:\windows\antivirus-platinum.exe
        
        c:\windows\antivirus-platinum.exe
        5⤵
        Windows security bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2460
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h c:\windows\antivirus-platinum.exe
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1948
- C:\Users\Admin\Downloads\trash_malware\trash malware\icons.exe
  icons.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2084
- C:\Users\Admin\Downloads\trash_malware\trash malware\Bonzify.exe
  Bonzify.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:3036
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"
    3⤵
    PID:2920
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im AgentSvr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2892
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /r /d y /f C:\Windows\MsAgent
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:1668
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\MsAgent /c /t /grant "everyone":(f)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2064
- - C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
    INSTALLER.exe /q
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:1904
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
      4⤵
      Loads dropped DLL
      PID:2088
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
      4⤵
      Loads dropped DLL
      PID:1196
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:868
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2552
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
      4⤵
      Loads dropped DLL
      PID:1576
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
      4⤵
      Loads dropped DLL
      PID:2068
  - - C:\Windows\msagent\AgentSvr.exe
      "C:\Windows\msagent\AgentSvr.exe" /regserver
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1732
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      System Location Discovery: System Language Discovery
      PID:1248
- - C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
    INSTALLER.exe /q
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2224
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
      4⤵
      System Location Discovery: System Language Discovery
      PID:2780
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
      4⤵
      System Location Discovery: System Language Discovery
      PID:3020
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      PID:2552
- C:\Users\Admin\Downloads\trash_malware\trash malware\Jigsaw.exe
  Jigsaw.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1452
- - C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
    "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\Downloads\trash_malware\trash?malware\Jigsaw.exe
    3⤵
    - Executes dropped EXE
    PID:912
- C:\Users\Admin\Downloads\trash_malware\trash malware\WannaCrypt0r.exe
  WannaCrypt0r
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2468
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2140
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2536
- - C:\Users\Admin\Downloads\trash_malware\trash malware\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:1952
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c 249661741295894.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2464
  - - C:\Windows\SysWOW64\cscript.exe
      cscript.exe //nologo m.vbs
      4⤵
      Loads dropped DLL
      PID:2856
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s F:\$RECYCLE
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:828
- - C:\Users\Admin\Downloads\trash_malware\trash malware\@[email protected]
    @[email protected] co
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b @[email protected] vs
    3⤵
    - Loads dropped DLL
    PID:2788
  - - C:\Users\Admin\Downloads\trash_malware\trash malware\@[email protected]
      @[email protected] vs
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1152
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1200
      - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        6⤵
        System Location Discovery: System Language Discovery
        Interacts with shadow copies
        
        PID:1740
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
- - C:\Users\Admin\Downloads\trash_malware\trash malware\taskdl.exe
    taskdl.exe
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - System policy modification
    PID:936
  - - C:\Users\Admin\Downloads\trash_malware\trash malware\msg\K80N56J1M43T1TP8G51.exe
      "C:\Users\Admin\Downloads\trash_malware\trash malware\msg\K80N56J1M43T1TP8G51.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      System policy modification
      PID:2488
  - - C:\Users\Admin\Downloads\trash_malware\trash malware\TaskData\U13T58D2E30D7AZ6H07.exe
      "C:\Users\Admin\Downloads\trash_malware\trash malware\TaskData\U13T58D2E30D7AZ6H07.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      System policy modification
      PID:2156
- - C:\Users\Admin\Downloads\trash_malware\trash malware\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\trash_malware\trash malware\@[email protected]
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System policy modification
    PID:2436
  - - C:\Users\Admin\Downloads\trash_malware\trash malware\msg\C37A87Y4F40I1JW5Z85.exe
      "C:\Users\Admin\Downloads\trash_malware\trash malware\msg\C37A87Y4F40I1JW5Z85.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      System policy modification
      PID:936
  - - C:\Users\Admin\Downloads\trash_malware\trash malware\TaskData\V23R18X5W24F7YM3U36.exe
      "C:\Users\Admin\Downloads\trash_malware\trash malware\TaskData\V23R18X5W24F7YM3U36.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      System policy modification
      PID:2380
- - C:\Users\Admin\Downloads\trash_malware\trash malware\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "lxejlrdtqen920" /t REG_SZ /d "\"C:\Users\Admin\Downloads\trash_malware\trash malware\tasksche.exe\"" /f
    3⤵
    PID:716
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "lxejlrdtqen920" /t REG_SZ /d "\"C:\Users\Admin\Downloads\trash_malware\trash malware\tasksche.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2908
- - C:\Users\Admin\Downloads\trash_malware\trash malware\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\trash_malware\trash malware\@[email protected]
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:2104
  - - C:\Users\Admin\Downloads\trash_malware\trash malware\msg\R31S01Y5U56Q0MI2J10.exe
      "C:\Users\Admin\Downloads\trash_malware\trash malware\msg\R31S01Y5U56Q0MI2J10.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      System policy modification
      PID:1448
  - - C:\Users\Admin\Downloads\trash_malware\trash malware\TaskData\W47I82V1P04V2PA6K37.exe
      "C:\Users\Admin\Downloads\trash_malware\trash malware\TaskData\W47I82V1P04V2PA6K37.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      System policy modification
      PID:1828
- - C:\Users\Admin\Downloads\trash_malware\trash malware\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1716
- - C:\Users\Admin\Downloads\trash_malware\trash malware\taskdl.exe
    taskdl.exe
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:2040
  - - C:\Users\Admin\Downloads\trash_malware\trash malware\msg\E00V61G7W08G2ZT0Q83.exe
      "C:\Users\Admin\Downloads\trash_malware\trash malware\msg\E00V61G7W08G2ZT0Q83.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      System policy modification
      PID:1276
  - - C:\Users\Admin\Downloads\trash_malware\trash malware\TaskData\J16L62D3S46L5DL3R11.exe
      "C:\Users\Admin\Downloads\trash_malware\trash malware\TaskData\J16L62D3S46L5DL3R11.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      System policy modification
      PID:1772
- - C:\Users\Admin\Downloads\trash_malware\trash malware\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\trash_malware\trash malware\@[email protected]
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:1212
  - - C:\Users\Admin\Downloads\trash_malware\trash malware\msg\W52B34B2Q01J7IB3O00.exe
      "C:\Users\Admin\Downloads\trash_malware\trash malware\msg\W52B34B2Q01J7IB3O00.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      System policy modification
      PID:1588
  - - C:\Users\Admin\Downloads\trash_malware\trash malware\TaskData\G75H25V3I77U3OM1P46.exe
      "C:\Users\Admin\Downloads\trash_malware\trash malware\TaskData\G75H25V3I77U3OM1P46.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      System policy modification
      PID:2464
- - C:\Users\Admin\Downloads\trash_malware\trash malware\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:780
- - C:\Users\Admin\Downloads\trash_malware\trash malware\taskdl.exe
    taskdl.exe
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:284
  - - C:\Users\Admin\Downloads\trash_malware\trash malware\msg\W64G07Q3V18O6YW0W88.exe
      "C:\Users\Admin\Downloads\trash_malware\trash malware\msg\W64G07Q3V18O6YW0W88.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      System policy modification
      PID:2740
  - - C:\Users\Admin\Downloads\trash_malware\trash malware\TaskData\B71W07N8R46T0CO4X17.exe
      "C:\Users\Admin\Downloads\trash_malware\trash malware\TaskData\B71W07N8R46T0CO4X17.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      System policy modification
      PID:2064
- - C:\Users\Admin\Downloads\trash_malware\trash malware\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\trash_malware\trash malware\@[email protected]
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:2352
  - - C:\Users\Admin\Downloads\trash_malware\trash malware\msg\Z34B03E1K40Q0OS6K15.exe
      "C:\Users\Admin\Downloads\trash_malware\trash malware\msg\Z34B03E1K40Q0OS6K15.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      System policy modification
      PID:1380
  - - C:\Users\Admin\Downloads\trash_malware\trash malware\TaskData\X75N43K7E64V2IV0W12.exe
      "C:\Users\Admin\Downloads\trash_malware\trash malware\TaskData\X75N43K7E64V2IV0W12.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      System policy modification
      PID:612
- - C:\Users\Admin\Downloads\trash_malware\trash malware\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:112
- - C:\Users\Admin\Downloads\trash_malware\trash malware\taskdl.exe
    taskdl.exe
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:1732
  - - C:\Users\Admin\Downloads\trash_malware\trash malware\msg\S84R47C8A47L0SH6Y68.exe
      "C:\Users\Admin\Downloads\trash_malware\trash malware\msg\S84R47C8A47L0SH6Y68.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      System policy modification
      PID:1404
  - - C:\Users\Admin\Downloads\trash_malware\trash malware\TaskData\X01H48Z4W86R3WZ0Z87.exe
      "C:\Users\Admin\Downloads\trash_malware\trash malware\TaskData\X01H48Z4W86R3WZ0Z87.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      System policy modification
      PID:1440
- - C:\Users\Admin\Downloads\trash_malware\trash malware\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\trash_malware\trash malware\@[email protected]
    3⤵
    PID:1868
  - - C:\Users\Admin\Downloads\trash_malware\trash malware\msg\X86G43B3A47L5ZZ2S11.exe
      "C:\Users\Admin\Downloads\trash_malware\trash malware\msg\X86G43B3A47L5ZZ2S11.exe"
      4⤵
      PID:2816
  - - C:\Users\Admin\Downloads\trash_malware\trash malware\TaskData\Q72X64Z4R22I2OP8N42.exe
      "C:\Users\Admin\Downloads\trash_malware\trash malware\TaskData\Q72X64Z4R22I2OP8N42.exe"
      4⤵
      PID:1468
- - C:\Users\Admin\Downloads\trash_malware\trash malware\@[email protected]
    @[email protected]
    3⤵
    PID:2312
- - C:\Users\Admin\Downloads\trash_malware\trash malware\taskdl.exe
    taskdl.exe
    3⤵
    PID:2396
  - - C:\Users\Admin\Downloads\trash_malware\trash malware\msg\K07N07R8K40E0JA7Z20.exe
      "C:\Users\Admin\Downloads\trash_malware\trash malware\msg\K07N07R8K40E0JA7Z20.exe"
      4⤵
      PID:2884
  - - C:\Users\Admin\Downloads\trash_malware\trash malware\TaskData\R61E40R6W50T8KN8N64.exe
      "C:\Users\Admin\Downloads\trash_malware\trash malware\TaskData\R61E40R6W50T8KN8N64.exe"
      4⤵
      PID:3032
- - C:\Users\Admin\Downloads\trash_malware\trash malware\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\trash_malware\trash malware\@[email protected]
    3⤵
    PID:112
- - C:\Users\Admin\Downloads\trash_malware\trash malware\@[email protected]
    @[email protected]
    3⤵
    PID:2860
- - C:\Users\Admin\Downloads\trash_malware\trash malware\taskdl.exe
    taskdl.exe
    3⤵
    PID:1836
- C:\Users\Admin\Downloads\trash_malware\trash malware\gaben64.exe
  gaben64.exe
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Users\Admin\Downloads\trash_malware\trash malware\sweeney64.exe
  sweeney64.exe
  2⤵
  - Executes dropped EXE
  PID:1264

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2380

C:\Windows\msagent\AgentSvr.exe
C:\Windows\msagent\AgentSvr.exe -Embedding
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2640

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1952

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2552

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2872

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:2800

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:1688
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x0
  2⤵
  PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery