b1a64eda349bfba9e70a26f070c66f98426f8666502167732b573d8afc7b1f40

Analysis

max time kernel
48s
max time network
48s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2024, 17:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Evon.exe
Size

87.5MB
MD5

cf530e69eb06c57a3dfa3ffdc5771a1f
SHA1

95b7e51b37ec4ddae8a970ed5157ac346e2943e7
SHA256

b1a64eda349bfba9e70a26f070c66f98426f8666502167732b573d8afc7b1f40
SHA512

0bf1793278515c185edb76f1e8f22843dfdcb9c976f05c30196646a6c47be5b08a8b619fb97e94bd1224d71200cc9c4df21bfef02af39b8df46492bbd84704c4
SSDEEP

1572864:BGp6fhqX1WAhhwFiAOPyWodm05LXfFFJAGJz0L7eNfvkIbPY7tbIqQP:5ZMHhkc4dm05LXRz0Cf8kutbdQP

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Evon Executor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Evon Executor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Evon Executor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Evon.exe

Executes dropped EXE 5 IoCs

pid	Process
4376	Evon Executor.exe
4424	Evon Executor.exe
1484	Evon Executor.exe
4416	Evon Executor.exe
1436	Evon Executor.exe

Loads dropped DLL 9 IoCs

pid	Process
4376	Evon Executor.exe
1484	Evon Executor.exe
4424	Evon Executor.exe
4416	Evon Executor.exe
4424	Evon Executor.exe
4424	Evon Executor.exe
4424	Evon Executor.exe
4424	Evon Executor.exe
1436	Evon Executor.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Evon Executor = "C:\\Users\\Admin\\AppData\\Roaming\\Evon Executor\\Evon Executor.exe"	Evon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Evon Executor.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Evon Executor.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Evon Executor.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Evon Executor.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 5c000000010000000400000000080000040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Evon Executor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	Evon Executor.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Evon Executor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Evon Executor.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Evon Executor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Evon Executor.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Evon Executor.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4376	Evon Executor.exe
Token: SeCreatePagefilePrivilege	4376	Evon Executor.exe
Token: SeShutdownPrivilege	4376	Evon Executor.exe
Token: SeCreatePagefilePrivilege	4376	Evon Executor.exe
Token: SeShutdownPrivilege	4376	Evon Executor.exe
Token: SeCreatePagefilePrivilege	4376	Evon Executor.exe
Token: SeShutdownPrivilege	4376	Evon Executor.exe
Token: SeCreatePagefilePrivilege	4376	Evon Executor.exe
Token: SeShutdownPrivilege	4376	Evon Executor.exe
Token: SeCreatePagefilePrivilege	4376	Evon Executor.exe
Token: SeShutdownPrivilege	4376	Evon Executor.exe
Token: SeCreatePagefilePrivilege	4376	Evon Executor.exe
Token: SeShutdownPrivilege	4376	Evon Executor.exe
Token: SeCreatePagefilePrivilege	4376	Evon Executor.exe
Token: SeShutdownPrivilege	4376	Evon Executor.exe
Token: SeCreatePagefilePrivilege	4376	Evon Executor.exe
Token: SeShutdownPrivilege	4376	Evon Executor.exe
Token: SeCreatePagefilePrivilege	4376	Evon Executor.exe
Token: SeShutdownPrivilege	4376	Evon Executor.exe
Token: SeCreatePagefilePrivilege	4376	Evon Executor.exe
Token: SeShutdownPrivilege	4376	Evon Executor.exe
Token: SeCreatePagefilePrivilege	4376	Evon Executor.exe
Token: SeShutdownPrivilege	4376	Evon Executor.exe
Token: SeCreatePagefilePrivilege	4376	Evon Executor.exe
Token: SeShutdownPrivilege	4376	Evon Executor.exe
Token: SeCreatePagefilePrivilege	4376	Evon Executor.exe
Token: SeShutdownPrivilege	4376	Evon Executor.exe
Token: SeCreatePagefilePrivilege	4376	Evon Executor.exe
Token: SeShutdownPrivilege	4376	Evon Executor.exe
Token: SeCreatePagefilePrivilege	4376	Evon Executor.exe
Token: SeShutdownPrivilege	4376	Evon Executor.exe
Token: SeCreatePagefilePrivilege	4376	Evon Executor.exe
Token: SeShutdownPrivilege	4376	Evon Executor.exe
Token: SeCreatePagefilePrivilege	4376	Evon Executor.exe
Token: SeShutdownPrivilege	4376	Evon Executor.exe
Token: SeCreatePagefilePrivilege	4376	Evon Executor.exe
Token: SeShutdownPrivilege	4376	Evon Executor.exe
Token: SeCreatePagefilePrivilege	4376	Evon Executor.exe
Token: SeShutdownPrivilege	4376	Evon Executor.exe
Token: SeCreatePagefilePrivilege	4376	Evon Executor.exe
Token: SeShutdownPrivilege	4376	Evon Executor.exe
Token: SeCreatePagefilePrivilege	4376	Evon Executor.exe
Token: SeShutdownPrivilege	4376	Evon Executor.exe
Token: SeCreatePagefilePrivilege	4376	Evon Executor.exe
Token: SeShutdownPrivilege	4376	Evon Executor.exe
Token: SeCreatePagefilePrivilege	4376	Evon Executor.exe
Token: SeShutdownPrivilege	4376	Evon Executor.exe
Token: SeCreatePagefilePrivilege	4376	Evon Executor.exe
Token: SeShutdownPrivilege	4376	Evon Executor.exe
Token: SeCreatePagefilePrivilege	4376	Evon Executor.exe
Token: SeShutdownPrivilege	4376	Evon Executor.exe
Token: SeCreatePagefilePrivilege	4376	Evon Executor.exe
Token: SeShutdownPrivilege	4376	Evon Executor.exe
Token: SeCreatePagefilePrivilege	4376	Evon Executor.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 4376	4604	Evon.exe	95
PID 4604 wrote to memory of 4376	4604	Evon.exe	95
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 4424	4376	Evon Executor.exe	96
PID 4376 wrote to memory of 1484	4376	Evon Executor.exe	97
PID 4376 wrote to memory of 1484	4376	Evon Executor.exe	97
PID 4376 wrote to memory of 4416	4376	Evon Executor.exe	98
PID 4376 wrote to memory of 4416	4376	Evon Executor.exe	98
PID 4376 wrote to memory of 1436	4376	Evon Executor.exe	99
PID 4376 wrote to memory of 1436	4376	Evon Executor.exe	99
PID 4376 wrote to memory of 1436	4376	Evon Executor.exe	99
PID 4376 wrote to memory of 1436	4376	Evon Executor.exe	99
PID 4376 wrote to memory of 1436	4376	Evon Executor.exe	99
PID 4376 wrote to memory of 1436	4376	Evon Executor.exe	99
PID 4376 wrote to memory of 1436	4376	Evon Executor.exe	99
PID 4376 wrote to memory of 1436	4376	Evon Executor.exe	99
PID 4376 wrote to memory of 1436	4376	Evon Executor.exe	99
PID 4376 wrote to memory of 1436	4376	Evon Executor.exe	99
PID 4376 wrote to memory of 1436	4376	Evon Executor.exe	99
PID 4376 wrote to memory of 1436	4376	Evon Executor.exe	99
PID 4376 wrote to memory of 1436	4376	Evon Executor.exe	99
PID 4376 wrote to memory of 1436	4376	Evon Executor.exe	99
PID 4376 wrote to memory of 1436	4376	Evon Executor.exe	99
PID 4376 wrote to memory of 1436	4376	Evon Executor.exe	99
PID 4376 wrote to memory of 1436	4376	Evon Executor.exe	99
PID 4376 wrote to memory of 1436	4376	Evon Executor.exe	99
PID 4376 wrote to memory of 1436	4376	Evon Executor.exe	99
PID 4376 wrote to memory of 1436	4376	Evon Executor.exe	99

C:\Users\Admin\AppData\Local\Temp\Evon.exe
"C:\Users\Admin\AppData\Local\Temp\Evon.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Users\Admin\AppData\Roaming\Evon Executor\Evon Executor.exe
  "C:\Users\Admin\AppData\Roaming\Evon Executor\Evon Executor.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Users\Admin\AppData\Roaming\Evon Executor\Evon Executor.exe
    "C:\Users\Admin\AppData\Roaming\Evon Executor\Evon Executor.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\evon-executor-nativefier-536e37" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1572 --field-trial-handle=1628,i,16410462027714670601,7729547893475240812,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4424
- - C:\Users\Admin\AppData\Roaming\Evon Executor\Evon Executor.exe
    "C:\Users\Admin\AppData\Roaming\Evon Executor\Evon Executor.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\evon-executor-nativefier-536e37" --mojo-platform-channel-handle=2008 --field-trial-handle=1628,i,16410462027714670601,7729547893475240812,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1484
- - C:\Users\Admin\AppData\Roaming\Evon Executor\Evon Executor.exe
    "C:\Users\Admin\AppData\Roaming\Evon Executor\Evon Executor.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\evon-executor-nativefier-536e37" --app-user-model-id=evon-executor-nativefier-536e37 --app-path="C:\Users\Admin\AppData\Roaming\Evon Executor\resources\app" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2364 --field-trial-handle=1628,i,16410462027714670601,7729547893475240812,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4416
- - C:\Users\Admin\AppData\Roaming\Evon Executor\Evon Executor.exe
    "C:\Users\Admin\AppData\Roaming\Evon Executor\Evon Executor.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\evon-executor-nativefier-536e37" --app-user-model-id=evon-executor-nativefier-536e37 --app-path="C:\Users\Admin\AppData\Roaming\Evon Executor\resources\app" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3236 --field-trial-handle=1628,i,16410462027714670601,7729547893475240812,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Evon Executor\Evon Executor.exe

Filesize
142.0MB

MD5
e7b80e6a3b5b3823758645886d82669e

SHA1
57a0bd94039f93332cbca2da3339b08213737b12

SHA256
3fae32c8631442336e4a9808aa36f7d48473bc6ee2838833a638bbe8172261ed

SHA512
214c8df4bf4c3cadaffcb8773ce780f078064743b05d8d2bd667515ec3b5355fa996f2627557d975ac19b49a4c1a0cba1bb227592ee5c4f4486ffc380bf4c446

Download Submit
C:\Users\Admin\AppData\Roaming\Evon Executor\Evon Executor.exe

Filesize
2.2MB

MD5
d3a9b0d9d5a2d6051170d608d5fee87b

SHA1
5600be6467916702da99e1b90727e36e642aa061

SHA256
7e40953f950a1ca26c4697031ade1f1b7be61e8f7ebde8d4f5113106f9927149

SHA512
2eae234ca139fc30eab4ce62b4af9740e5d92af9a2b48eb9965082dd9f7625ae70cb3ec43235be87a2728f519372dad9e44ea183ffdeb4c554d280abdffc0c9d

Download Submit
C:\Users\Admin\AppData\Roaming\Evon Executor\Evon Executor.exe

Filesize
4.4MB

MD5
2cd9ce27f6ef4d016328d7cfc227cd9e

SHA1
ed414d006294386fb33d430ca4f115b93262ce05

SHA256
283bfef05efad011cecd4fa6a265b8c178406e42b19a5383236407b3ad4e7bc4

SHA512
567f4ba2d31d34d6fec5644f74f47c36db274b1611e91a7ccde38ca55b711976a9716fc9cc288f16b5217990693388f86abcf9b0a11d1f028021ddea152c1cbe

Download Submit
C:\Users\Admin\AppData\Roaming\Evon Executor\Evon Executor.exe

Filesize
6.9MB

MD5
e0b75941ec64910eab0fd5d4d2be38f8

SHA1
3ac835c23fe9e33dcbe9475b9c90c45bd00fcc62

SHA256
7ae7a80da8c79b4fd640be137c8677e409a17b449819b44e1904945820b1176a

SHA512
1a3c5a07176e00be46681079a67f30f28d4ae0a8ce8f486aea61d22ad1287ea7e2ed2a34d1acf869923b115634302a1a9628f447daaf6b7268025ebadc37c087

Download Submit
C:\Users\Admin\AppData\Roaming\Evon Executor\Evon Executor.exe

Filesize
7.4MB

MD5
ddb0adee2d9849dadfd89f172d182022

SHA1
a997ca5276479294da6cccb87a9e5ef595c1c82c

SHA256
725a48661b878e9a8a96a355628b8c4c69ea0acc1f56677def452a6888d62948

SHA512
f5abdc54559cdc074c1ecf0f2689702d720d9cbd2cb026b9895711cdd44673b59e9201e68277aa273bec42e3fe115d4a2d4dc72a45736640d3c58e9427bc7af0

Download Submit
C:\Users\Admin\AppData\Roaming\Evon Executor\Evon Executor.exe

Filesize
4.0MB

MD5
99b699072a0bb64edf868e5ca9d6e112

SHA1
2cb73823f793996c8d39994f540c7f8279654c8c

SHA256
0e3af4ab9eee2d5339ed5157e0516825df4af79f61d24030094464256a431858

SHA512
07bab2e0fef790a9174b5ef78613ccff24cc3cfc5f643ad1d55265968588cc0d22eccee41666f6bf352f9b022e5226a2e6ccc05a5bfb6515f3baf63c9edababf

Download Submit
C:\Users\Admin\AppData\Roaming\Evon Executor\Evon Executor.exe

Filesize
5.0MB

MD5
3f71af8cdad2abc5c7cedad78c37d079

SHA1
c6e049f0515061dbbee635ae915133bee3e3e737

SHA256
4a87b213622c478f896818305a82ea2527551e0f70418d2c5911bb466f0cf5fb

SHA512
01c7d1e2e01141f27ee0013c4b8be00e5293ae0f2c45c7a326d419b992ab697e20a8bec158c1665d81655257e41f87dad5a66e6de4ee5fdd1927f6839afa27a3

Download Submit
C:\Users\Admin\AppData\Roaming\Evon Executor\chrome_100_percent.pak

Filesize
125KB

MD5
0cf9de69dcfd8227665e08c644b9499c

SHA1
a27941acce0101627304e06533ba24f13e650e43

SHA256
d2c299095dbbd3a3cb2b4639e5b3bd389c691397ffd1a681e586f2cfe0e2ab88

SHA512
bb5d340009cef2bcb604ef38fdd7171fed0423c2dc6a01e590f8d15c4f6bc860606547550218db41fba554609e8395c9e3c3508dfa2d8b202e5059e7646bdcef

Download Submit
C:\Users\Admin\AppData\Roaming\Evon Executor\chrome_200_percent.pak

Filesize
174KB

MD5
d88936315a5bd83c1550e5b8093eb1e6

SHA1
6445d97ceb89635f6459bc2fb237324d66e6a4ee

SHA256
f49abd81e93a05c1e53c1201a5d3a12f2724f52b6971806c8306b512bf66aa25

SHA512
75142f03df6187fb75f887e4c8b9d5162902ba6aac86351186c85e5f0a2d3825ca312a36cf9f4bd656cdfc23a20cd38d4580ca1b41560d23ebaa0d41e4cf1dd2

Download Submit
C:\Users\Admin\AppData\Roaming\Evon Executor\d3dcompiler_47.dll

Filesize
4.7MB

MD5
cb9807f6cf55ad799e920b7e0f97df99

SHA1
bb76012ded5acd103adad49436612d073d159b29

SHA256
5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a

SHA512
f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

Download Submit
C:\Users\Admin\AppData\Roaming\Evon Executor\ffmpeg.dll

Filesize
2.4MB

MD5
c54eaada953df23531b17f9d07078adc

SHA1
7ebdb1da2caae4c637165b9e59409bbd9c7b47ec

SHA256
5b0b355b0413f6f3c1cbb2742dd866048aa15f361c1a18004804d69526e5fdb2

SHA512
1315537226b1f8546c6dfcc16dd189c905eb3657c3ed66fbec7cc419764bb593cd07a5438b0afd7e06dcf808bc2a9f2ec540c73fd50e7c345bfa618c85d7ad40

Download Submit
C:\Users\Admin\AppData\Roaming\Evon Executor\ffmpeg.dll

Filesize
1.4MB

MD5
399698fa5486ee118c8547cb953cc99d

SHA1
e783a22efdbd0bd7e19dbffba26752a4869db99f

SHA256
a3bf85673234afb2080ed476f1f0173e818e56b53f6fe58272465a0b3e346af6

SHA512
1cdf9da86e8abd2ed6babf0fc7e7de1e705103475fda00dd9a695e313de1569bfb03408e438acf5d799d8bb31db53b294d0279072c98e85693c67f653add3d00

Download Submit
C:\Users\Admin\AppData\Roaming\Evon Executor\ffmpeg.dll

Filesize
2.7MB

MD5
b41b5ca7e8cdf2669494ae42bf476eca

SHA1
47fe1078383d1f42b62b96bc2aa73e2dd529c3c4

SHA256
308d47179729e3e06f5153c26621bb67af12fca73a37123987176df5fe9be218

SHA512
98d6822f6a7be5c9b86b6d63140f5e1b653021bf666a8611a18c37202f77947676d8c5c59022d99721423d3799375210b46f25c795e62dc1b258fffcfb3f9d2a

Download Submit
C:\Users\Admin\AppData\Roaming\Evon Executor\icudtl.dat

Filesize
832KB

MD5
3fd1cfd800110e52375bd22e36d777ae

SHA1
58defe6c6542e682f846015fa7a610c00c120214

SHA256
567e88d484f1cebb13e9efaf8b1ff10667d82342a0210d87d1b2aa02879137da

SHA512
15d7fdf46e5772ba82636e7383d551c674660d102f008f0c19c653ca3f9c75ccb832e9354e447a23d40c0fb192dd1ecb4da3006edc5202a11e6868033447732e

Download Submit
C:\Users\Admin\AppData\Roaming\Evon Executor\libEGL.dll

Filesize
460KB

MD5
961c060f241a7ae22e962c82d7803ef1

SHA1
0060b167e55db981c1588ca2074b8ca38b9a8153

SHA256
c8e8007d746df73edbf73cdff18c09bb756f43814978c84a28a72f95d0ac5dc9

SHA512
79539e0d0036124b59f94c6fec0c596e64c41626b9994ff7457f2f6b26e8f2648f93f63f6422c444eb3c8b803079f6ef1f52191980ea88de9d25c40b30547599

Download Submit
C:\Users\Admin\AppData\Roaming\Evon Executor\libGLESv2.dll

Filesize
4.7MB

MD5
2c92bac8a64da6660837cf6faaec6d75

SHA1
1033f66d468e251c2f6cf369974fb047f9fa5d73

SHA256
28843fdf156d1abb3377f08208b5edd874b3c6656019efbc2f1b097a13cf995e

SHA512
bf74bcf6b4306190026cc30b3eadd4d0b2af4f97bddbe795cd234ce447352989742b5b83adb901ee14f0cd61ac3365cda2a0f3c67249ebeff1bed61fd2e1365b

Download Submit
C:\Users\Admin\AppData\Roaming\Evon Executor\libglesv2.dll

Filesize
5.1MB

MD5
664375ab6e84c6a3bf09cd1a40a65d54

SHA1
2088b1d651bca34266bf761b6f16e44af9261677

SHA256
53ac1aaedf9346afbc7b562a389f73846a917ce2a79e643a81fcf39b16c6a71a

SHA512
204562bb9200d992c18fff625c93783df364c03209d8c3b29a48dcf87cbe7c83ac6426ad3269931ab3f24470909b9a1431cfbafdc04af9612a23c37666f86dd0

Download Submit
C:\Users\Admin\AppData\Roaming\Evon Executor\locales\en-US.pak

Filesize
115KB

MD5
f982582f05ea5adf95d9258aa99c2aa5

SHA1
2f3168b09d812c6b9b6defc54390b7a833009abf

SHA256
4221cf9bae4ebea0edc1b0872c24ec708492d4fe13f051d1f806a77fe84ca94d

SHA512
75636f4d6aa1bcf0a573a061a55077106fbde059e293d095557cddfe73522aa5f55fe55a48158bf2cfc74e9edb74cae776369a8ac9123dc6f1f6afa805d0cc78

Download Submit
C:\Users\Admin\AppData\Roaming\Evon Executor\resources.pak

Filesize
4.9MB

MD5
c7b17b0c9e6e6aad4ffd1d61c9200123

SHA1
63a46fc028304de3920252c0dab5aa0a8095ed7d

SHA256
574c67ecd1d07f863343c2ea2854b2d9b2def23f04ba97b67938e72c67799f66

SHA512
96d72485598a6f104e148a8384739939bf4b65054ddde015dd075d357bcc156130690e70f5f50ec915c22df3d0383b0f2fbac73f5de629d5ff8dab5a7533d12b

Download Submit
C:\Users\Admin\AppData\Roaming\Evon Executor\resources\app\icon.ico

Filesize
24KB

MD5
7281dfef921736d0d58d64563e0f04bb

SHA1
835111adeca18a82e7545b4b9bf24670fde7dcc7

SHA256
353c3be9c1462f00ff5c05073403a76c2ec6b82faa990d1ff8bd309b7c64f60b

SHA512
37a61bc544432e0f6706589065d407b2b802e61d5b37cd5c711da88e647b84341162b5157908ae5e5447997a454a76a0b0eafac25cd8c107c3ef326e369e6b1e

Download Submit
C:\Users\Admin\AppData\Roaming\Evon Executor\resources\app\lib\main.js

Filesize
496KB

MD5
7327af37c332ad146899073ec665a18a

SHA1
d35b0c9187a674bbe16687dc7c857d65b94a6f36

SHA256
d6d58a6a98a77a3c0cdb45e642d0a5d125ff3d75bb1f42e7803d100a9160dd05

SHA512
39d35e82d355b573e7ad153b2f4a36b226c39127bd19c48f722b670813d86adfc658563afa53c4129289ad397985f801020daf11174f7df850ea622cb0356435

Download Submit
C:\Users\Admin\AppData\Roaming\Evon Executor\resources\app\lib\preload.js

Filesize
12KB

MD5
cfd7e6489b0d63738319982f68ff935e

SHA1
d05ab48d9dc3a52946511c2c4cf5de0fcb4f1290

SHA256
d50ca2fa212df1c1ff69b5d26ba594bd39bfd86a71b068a650cc577e5dc9a94e

SHA512
9b4c0fb83033163f8e8e35c9da2d33265f7d36eefa22774399abaf867e3d22a3e0cba71f2bb2037fe055e5b9932b25dd98a63b7543c3a15f2667ec40d7bcdf93

Download Submit
C:\Users\Admin\AppData\Roaming\Evon Executor\resources\app\nativefier.json

Filesize
964B

MD5
26506afa5b30030abb842c83ea4ee129

SHA1
990de0ee7bfd97fe2e0fed038a4cae69d87498fd

SHA256
4d752cd0ece850f3295942f406f47c696c7d0c1e7b47d0ce71bb2eb5514c5d37

SHA512
6fe7fbb78c37b32e805d073fa704a4e7ade169a296a56d4640e2e4e51cfbf4523bb5e3d0eda56a59c5d3ac133129d766b1cd1a57ee409044f339425fd6981bb2

Download Submit
C:\Users\Admin\AppData\Roaming\Evon Executor\resources\app\package.json

Filesize
600B

MD5
925eb09f9a49947f41399f733debd3c6

SHA1
df774df63caa734cfacbe091a4f5bc7dcf8000aa

SHA256
cf8981363f70d0289fbdf8d49e00c9f3830f0e1aa7b44da97767cd0284f1245f

SHA512
db770fd13a534e18204459afe594322994c9458aee540044cd6bdb9f103ae50fb18757d07ad68f9857cfb9851b1a1220d5fb6be294c0d88fbeb1b05691e6ed42

Download Submit
C:\Users\Admin\AppData\Roaming\Evon Executor\v8_context_snapshot.bin

Filesize
640KB

MD5
4a85a88e7be0bda98a241739aeaee256

SHA1
70f86d10558e4f9e22299a37398b835851709738

SHA256
26bf5b12ad151b6763386d5278145101cb0da0ebe7762a1a70f43b8fe024b9f8

SHA512
4f1ccf3c6bf5fb55a6d695246f4efe6ea26af97d358ebd162d83639ff33f8e0224a1e8be44b12c49d4c3809dd965d18839fcc9c9c8b710b6d7709ec6f3d5bb6a

Download Submit
C:\Users\Admin\AppData\Roaming\Evon Executor\vk_swiftshader.dll

Filesize
4.1MB

MD5
7bb621d3ba499681d7183fe1dbd1a998

SHA1
73b872b27291b38428ca4fe828cbe450b4e6ab3b

SHA256
00ac5e0dbed355269cac5bee99ec76be2a6350851b8464cf20cc7ab2e658b137

SHA512
ee558b020399c407de9cab004261112f4beb1f8cad5e69d3d89cee4652180c368e31566082365618dcbb57e3626fa6949436a228a84ddc68135315f6163c74ad

Download Submit
C:\Users\Admin\AppData\Roaming\Evon Executor\vk_swiftshader.dll

Filesize
3.9MB

MD5
1bc194549918ba2e48739fead097395b

SHA1
724d7d19332acd5d1f466c02873c7aaa05731e7c

SHA256
f75d87e71df527ee18baf21bca86b044fa3db8adf5ea36d0c893c5aa76bf774b

SHA512
de7b335745cb03223ed3c3aa1aaa21a3193fbe3f652575eb3f5958d7fd56db4e87b44e11025e24712be5d9ba51fc79b7f08b1b95366a67cd9c999c1429c7509e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\evon-executor-nativefier-536e37\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
memory/1436-310-0x00007FFC48830000-0x00007FFC48831000-memory.dmp

Filesize
4KB

Download
memory/1436-311-0x00007FFC4A1E0000-0x00007FFC4A1E1000-memory.dmp

Filesize
4KB

Download
memory/1436-334-0x0000014D5A880000-0x0000014D5A91B000-memory.dmp

Filesize
620KB

Download
memory/4424-218-0x00007FFC48C20000-0x00007FFC48C21000-memory.dmp

Filesize
4KB

Download
memory/4604-0-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/4604-204-0x0000000000C40000-0x0000000000F22000-memory.dmp

Filesize
2.9MB

Download
memory/4604-9-0x0000000000C40000-0x0000000000F22000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads