Analysis
-
max time kernel
49s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
20-07-2021 06:01
Static task
static1
Behavioral task
behavioral1
Sample
474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c.exe
Resource
win10v20210408
General
-
Target
474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c.exe
-
Size
3.2MB
-
MD5
88a990a868eada802839185b6f05c541
-
SHA1
499be12d4fe4f30e672601b1ccbfc4f014a8bca8
-
SHA256
474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c
-
SHA512
7bd11e52a079da6584669707617a433a9f233a7300057d4751872ab202dc665b9c8429df7a641951ef04f51af74fe09e5ac6be49aa7fe2aedb235409e0243cad
Malware Config
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4644 3380 rUNdlL32.eXe 52 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral2/files/0x000100000001abd0-310.dat family_redline behavioral2/files/0x000100000001abd0-311.dat family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000100000001ab20-141.dat family_socelars behavioral2/files/0x000100000001ab20-140.dat family_socelars -
Downloads MZ/PE file
-
Executes dropped EXE 15 IoCs
pid Process 2572 Files.exe 2812 File.exe 2804 Folder.exe 3568 KRSetp.exe 4132 Info.exe 4188 jg3_3uag.exe 4228 Install.exe 4288 pub2.exe 4476 Folder.exe 5128 CupflGKtJXGtokuIRIlLl1KC.exe 4300 8I7bq4_vxeowMnhAnl1HqjE5.exe 5164 _L_El8eHA4PcR_Gu7iXH20Cd.exe 5156 Rv08_X5AQOmr65izmjZ0_u1C.exe 4852 0ZRpSS6ctIKGfFhyELD5Ykwp.exe 5180 uXBIc3lPS0_NgBL89h8Fsydq.exe -
resource yara_rule behavioral2/files/0x000100000001ab1f-136.dat vmprotect behavioral2/files/0x000100000001ab1f-135.dat vmprotect behavioral2/memory/4188-143-0x0000000000400000-0x00000000005DB000-memory.dmp vmprotect behavioral2/files/0x000100000001abe5-320.dat vmprotect behavioral2/files/0x000100000001abe5-321.dat vmprotect -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation 474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c.exe Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation Files.exe -
Loads dropped DLL 2 IoCs
pid Process 4288 pub2.exe 4680 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg3_3uag.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 ipinfo.io 18 ipinfo.io -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent 336849EAC5BBAAFB svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3720 set thread context of 5000 3720 svchost.exe 98 -
autoit_exe 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000200000001ab23-122.dat autoit_exe behavioral2/files/0x000200000001ab23-123.dat autoit_exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe -
Kills process with taskkill 1 IoCs
pid Process 4912 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies data under HKEY_USERS 6 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 1d24df8b702cd701 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000ea87b3de042fe4ab8c650626a73d3372ca41e2fe589164e2b98e9fc39fd258c3f352dec5efed69b5e4c8e2ccae33b73139ffa3a7b5784c22f3786d7b22352ebc8eca00e9d7a5fcdb4a41bc79b6905d318b2b58441f4f148d7b63 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Process not Found Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000b407b148a6573b43d6f3b100597b3d1ebcd03c6c9a0c0955f3a4358ee9f72b84fdaa4409cd8db72258f11703b0e5a356d7d5fb290fea7573c938 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000e39c58861b1472cd6d4a752164d3eca293b4b279ff9ccb28c83f71726c431f7d8b74e8a0202d033a531f80b19b90220bd84481f6ca6132940279 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 3f181b0a3d7dd701 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74WP1CM3-506M-V62R-WR42-7MQP227Y2YLP} rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20EP1MI0-142C-L17D-YD26-2GCP283P3KMT} svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = bf2f960b3d7dd701 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{EF3CA59D-AF42-4550-8BB2-AAAF808316AF} = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdgeCP.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Install.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Install.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4288 pub2.exe 4288 pub2.exe 4680 rundll32.exe 4680 rundll32.exe 3720 svchost.exe 3720 svchost.exe 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found 3000 Process not Found -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 4288 pub2.exe 4596 MicrosoftEdgeCP.exe 4596 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3144 MicrosoftEdge.exe Token: SeDebugPrivilege 3144 MicrosoftEdge.exe Token: SeDebugPrivilege 3144 MicrosoftEdge.exe Token: SeDebugPrivilege 3144 MicrosoftEdge.exe Token: SeCreateTokenPrivilege 4228 Install.exe Token: SeAssignPrimaryTokenPrivilege 4228 Install.exe Token: SeLockMemoryPrivilege 4228 Install.exe Token: SeIncreaseQuotaPrivilege 4228 Install.exe Token: SeMachineAccountPrivilege 4228 Install.exe Token: SeTcbPrivilege 4228 Install.exe Token: SeSecurityPrivilege 4228 Install.exe Token: SeTakeOwnershipPrivilege 4228 Install.exe Token: SeLoadDriverPrivilege 4228 Install.exe Token: SeSystemProfilePrivilege 4228 Install.exe Token: SeSystemtimePrivilege 4228 Install.exe Token: SeProfSingleProcessPrivilege 4228 Install.exe Token: SeIncBasePriorityPrivilege 4228 Install.exe Token: SeCreatePagefilePrivilege 4228 Install.exe Token: SeCreatePermanentPrivilege 4228 Install.exe Token: SeBackupPrivilege 4228 Install.exe Token: SeRestorePrivilege 4228 Install.exe Token: SeShutdownPrivilege 4228 Install.exe Token: SeDebugPrivilege 4228 Install.exe Token: SeAuditPrivilege 4228 Install.exe Token: SeSystemEnvironmentPrivilege 4228 Install.exe Token: SeChangeNotifyPrivilege 4228 Install.exe Token: SeRemoteShutdownPrivilege 4228 Install.exe Token: SeUndockPrivilege 4228 Install.exe Token: SeSyncAgentPrivilege 4228 Install.exe Token: SeEnableDelegationPrivilege 4228 Install.exe Token: SeManageVolumePrivilege 4228 Install.exe Token: SeImpersonatePrivilege 4228 Install.exe Token: SeCreateGlobalPrivilege 4228 Install.exe Token: 31 4228 Install.exe Token: 32 4228 Install.exe Token: 33 4228 Install.exe Token: 34 4228 Install.exe Token: 35 4228 Install.exe Token: SeDebugPrivilege 3568 KRSetp.exe Token: SeDebugPrivilege 4680 rundll32.exe Token: SeDebugPrivilege 3720 svchost.exe Token: SeDebugPrivilege 4680 rundll32.exe Token: SeDebugPrivilege 4680 rundll32.exe Token: SeDebugPrivilege 4680 rundll32.exe Token: SeDebugPrivilege 4680 rundll32.exe Token: SeDebugPrivilege 4680 rundll32.exe Token: SeDebugPrivilege 4680 rundll32.exe Token: SeDebugPrivilege 4680 rundll32.exe Token: SeDebugPrivilege 4680 rundll32.exe Token: SeDebugPrivilege 4680 rundll32.exe Token: SeDebugPrivilege 4912 taskkill.exe Token: SeDebugPrivilege 4680 rundll32.exe Token: SeDebugPrivilege 4680 rundll32.exe Token: SeAssignPrimaryTokenPrivilege 2620 svchost.exe Token: SeIncreaseQuotaPrivilege 2620 svchost.exe Token: SeSecurityPrivilege 2620 svchost.exe Token: SeTakeOwnershipPrivilege 2620 svchost.exe Token: SeLoadDriverPrivilege 2620 svchost.exe Token: SeSystemtimePrivilege 2620 svchost.exe Token: SeBackupPrivilege 2620 svchost.exe Token: SeRestorePrivilege 2620 svchost.exe Token: SeShutdownPrivilege 2620 svchost.exe Token: SeSystemEnvironmentPrivilege 2620 svchost.exe Token: SeUndockPrivilege 2620 svchost.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2812 File.exe 2812 File.exe 2812 File.exe 2812 File.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2812 File.exe 2812 File.exe 2812 File.exe 2812 File.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3144 MicrosoftEdge.exe 4132 Info.exe 4596 MicrosoftEdgeCP.exe 4596 MicrosoftEdgeCP.exe 5164 _L_El8eHA4PcR_Gu7iXH20Cd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3492 wrote to memory of 2572 3492 474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c.exe 75 PID 3492 wrote to memory of 2572 3492 474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c.exe 75 PID 3492 wrote to memory of 2572 3492 474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c.exe 75 PID 2572 wrote to memory of 2812 2572 Files.exe 77 PID 2572 wrote to memory of 2812 2572 Files.exe 77 PID 2572 wrote to memory of 2812 2572 Files.exe 77 PID 3492 wrote to memory of 2804 3492 474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c.exe 81 PID 3492 wrote to memory of 2804 3492 474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c.exe 81 PID 3492 wrote to memory of 2804 3492 474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c.exe 81 PID 3492 wrote to memory of 3568 3492 474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c.exe 83 PID 3492 wrote to memory of 3568 3492 474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c.exe 83 PID 3492 wrote to memory of 4132 3492 474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c.exe 84 PID 3492 wrote to memory of 4132 3492 474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c.exe 84 PID 3492 wrote to memory of 4132 3492 474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c.exe 84 PID 3492 wrote to memory of 4188 3492 474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c.exe 85 PID 3492 wrote to memory of 4188 3492 474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c.exe 85 PID 3492 wrote to memory of 4188 3492 474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c.exe 85 PID 3492 wrote to memory of 4228 3492 474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c.exe 86 PID 3492 wrote to memory of 4228 3492 474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c.exe 86 PID 3492 wrote to memory of 4228 3492 474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c.exe 86 PID 3492 wrote to memory of 4288 3492 474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c.exe 87 PID 3492 wrote to memory of 4288 3492 474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c.exe 87 PID 3492 wrote to memory of 4288 3492 474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c.exe 87 PID 2804 wrote to memory of 4476 2804 Folder.exe 88 PID 2804 wrote to memory of 4476 2804 Folder.exe 88 PID 2804 wrote to memory of 4476 2804 Folder.exe 88 PID 4644 wrote to memory of 4680 4644 rUNdlL32.eXe 92 PID 4644 wrote to memory of 4680 4644 rUNdlL32.eXe 92 PID 4644 wrote to memory of 4680 4644 rUNdlL32.eXe 92 PID 4228 wrote to memory of 4800 4228 Install.exe 93 PID 4228 wrote to memory of 4800 4228 Install.exe 93 PID 4228 wrote to memory of 4800 4228 Install.exe 93 PID 4800 wrote to memory of 4912 4800 cmd.exe 96 PID 4800 wrote to memory of 4912 4800 cmd.exe 96 PID 4800 wrote to memory of 4912 4800 cmd.exe 96 PID 4680 wrote to memory of 3720 4680 rundll32.exe 70 PID 4680 wrote to memory of 2852 4680 rundll32.exe 42 PID 3720 wrote to memory of 5000 3720 svchost.exe 98 PID 3720 wrote to memory of 5000 3720 svchost.exe 98 PID 3720 wrote to memory of 5000 3720 svchost.exe 98 PID 4680 wrote to memory of 1000 4680 rundll32.exe 61 PID 4680 wrote to memory of 2424 4680 rundll32.exe 33 PID 4680 wrote to memory of 2416 4680 rundll32.exe 30 PID 4680 wrote to memory of 1080 4680 rundll32.exe 58 PID 4680 wrote to memory of 860 4680 rundll32.exe 11 PID 4680 wrote to memory of 1412 4680 rundll32.exe 14 PID 4680 wrote to memory of 1844 4680 rundll32.exe 41 PID 4680 wrote to memory of 1252 4680 rundll32.exe 13 PID 4680 wrote to memory of 1232 4680 rundll32.exe 56 PID 4680 wrote to memory of 2620 4680 rundll32.exe 36 PID 4680 wrote to memory of 2628 4680 rundll32.exe 43 PID 4596 wrote to memory of 4876 4596 MicrosoftEdgeCP.exe 95 PID 4596 wrote to memory of 4876 4596 MicrosoftEdgeCP.exe 95 PID 4596 wrote to memory of 4876 4596 MicrosoftEdgeCP.exe 95 PID 4596 wrote to memory of 4876 4596 MicrosoftEdgeCP.exe 95 PID 4132 wrote to memory of 4300 4132 Info.exe 112 PID 4132 wrote to memory of 4300 4132 Info.exe 112 PID 4132 wrote to memory of 4300 4132 Info.exe 112 PID 4132 wrote to memory of 5128 4132 Info.exe 104 PID 4132 wrote to memory of 5128 4132 Info.exe 104 PID 4132 wrote to memory of 5128 4132 Info.exe 104 PID 4132 wrote to memory of 4852 4132 Info.exe 111 PID 4132 wrote to memory of 4852 4132 Info.exe 111 PID 4132 wrote to memory of 4852 4132 Info.exe 111
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
PID:860 -
C:\Users\Admin\AppData\Roaming\vuthggcC:\Users\Admin\AppData\Roaming\vuthggc2⤵PID:5708
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵PID:1252
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵PID:1412
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵PID:2416
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵PID:2424
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵PID:1844
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵PID:2852
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵PID:2628
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵PID:1232
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵PID:1080
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵PID:1000
-
C:\Users\Admin\AppData\Local\Temp\474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c.exe"C:\Users\Admin\AppData\Local\Temp\474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Users\Admin\AppData\Local\Temp\Files.exe"C:\Users\Admin\AppData\Local\Temp\Files.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2812
-
-
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a3⤵
- Executes dropped EXE
PID:4476
-
-
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3568
-
-
C:\Users\Admin\AppData\Local\Temp\Info.exe"C:\Users\Admin\AppData\Local\Temp\Info.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Users\Admin\Documents\CupflGKtJXGtokuIRIlLl1KC.exe"C:\Users\Admin\Documents\CupflGKtJXGtokuIRIlLl1KC.exe"3⤵
- Executes dropped EXE
PID:5128
-
-
C:\Users\Admin\Documents\45EQltnOw3cRjhjG_e8y02TA.exe"C:\Users\Admin\Documents\45EQltnOw3cRjhjG_e8y02TA.exe"3⤵PID:5220
-
-
C:\Users\Admin\Documents\sf3RLwrggmAlXhmYYEI_B2dz.exe"C:\Users\Admin\Documents\sf3RLwrggmAlXhmYYEI_B2dz.exe"3⤵PID:5204
-
-
C:\Users\Admin\Documents\Tjn6YA0tUDzdVRMEh4C5bICH.exe"C:\Users\Admin\Documents\Tjn6YA0tUDzdVRMEh4C5bICH.exe"3⤵PID:5192
-
-
C:\Users\Admin\Documents\uXBIc3lPS0_NgBL89h8Fsydq.exe"C:\Users\Admin\Documents\uXBIc3lPS0_NgBL89h8Fsydq.exe"3⤵
- Executes dropped EXE
PID:5180
-
-
C:\Users\Admin\Documents\Rv08_X5AQOmr65izmjZ0_u1C.exe"C:\Users\Admin\Documents\Rv08_X5AQOmr65izmjZ0_u1C.exe"3⤵
- Executes dropped EXE
PID:5156
-
-
C:\Users\Admin\Documents\_L_El8eHA4PcR_Gu7iXH20Cd.exe"C:\Users\Admin\Documents\_L_El8eHA4PcR_Gu7iXH20Cd.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5164
-
-
C:\Users\Admin\Documents\0ZRpSS6ctIKGfFhyELD5Ykwp.exe"C:\Users\Admin\Documents\0ZRpSS6ctIKGfFhyELD5Ykwp.exe"3⤵
- Executes dropped EXE
PID:4852
-
-
C:\Users\Admin\Documents\8I7bq4_vxeowMnhAnl1HqjE5.exe"C:\Users\Admin\Documents\8I7bq4_vxeowMnhAnl1HqjE5.exe"3⤵
- Executes dropped EXE
PID:4300
-
-
C:\Users\Admin\Documents\s3xZlLWGCMz618QZwlfk7MXd.exe"C:\Users\Admin\Documents\s3xZlLWGCMz618QZwlfk7MXd.exe"3⤵PID:5256
-
-
C:\Users\Admin\Documents\M0NwE3HNQTkcOOhRD74p7cdt.exe"C:\Users\Admin\Documents\M0NwE3HNQTkcOOhRD74p7cdt.exe"3⤵PID:5264
-
-
C:\Users\Admin\Documents\_AswUW1CNwHCAN1MrQhpXmYB.exe"C:\Users\Admin\Documents\_AswUW1CNwHCAN1MrQhpXmYB.exe"3⤵PID:5428
-
-
C:\Users\Admin\Documents\KHa7cgwaXWoFcEz0HfNuyxrA.exe"C:\Users\Admin\Documents\KHa7cgwaXWoFcEz0HfNuyxrA.exe"3⤵PID:5416
-
-
C:\Users\Admin\Documents\JuAIOvAMmaWayCpOWLjhqI8v.exe"C:\Users\Admin\Documents\JuAIOvAMmaWayCpOWLjhqI8v.exe"3⤵PID:5612
-
-
C:\Users\Admin\Documents\Rcy2khxESqYPI5_vqozCSkrn.exe"C:\Users\Admin\Documents\Rcy2khxESqYPI5_vqozCSkrn.exe"3⤵PID:5560
-
-
C:\Users\Admin\Documents\RAV0K7EseQSYe0xJ7aDDC723.exe"C:\Users\Admin\Documents\RAV0K7EseQSYe0xJ7aDDC723.exe"3⤵PID:5592
-
-
C:\Users\Admin\Documents\cKfMi86HzJMPQ7V_ER1mOhqN.exe"C:\Users\Admin\Documents\cKfMi86HzJMPQ7V_ER1mOhqN.exe"3⤵PID:5580
-
-
C:\Users\Admin\Documents\Gk5D2Iie_lCH8axzo9AHUDzs.exe"C:\Users\Admin\Documents\Gk5D2Iie_lCH8axzo9AHUDzs.exe"3⤵PID:5568
-
-
-
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4188
-
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4912
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\pub2.exe"C:\Users\Admin\AppData\Local\Temp\pub2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4288
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:5000
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3144
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:4008
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4596
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4680
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:4876
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4520
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:4168