pony | 390d7472201e8ea9bdc6c7fa2b4ab1f6faca02071f1f997037cc5f52759a9cb6

resource	yara_rule
behavioral15/files/0x000100000001ab7b-44.dat	Nirsoft
behavioral15/files/0x000100000001ab7b-43.dat	Nirsoft
behavioral15/files/0x000700000001ab6b-60.dat	Nirsoft
behavioral15/files/0x000700000001ab6b-59.dat	Nirsoft
behavioral15/files/0x000800000001ab6b-91.dat	Nirsoft
behavioral15/files/0x000800000001ab6b-92.dat	Nirsoft

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

resource	yara_rule
behavioral15/memory/1864-65-0x0000000005310000-0x0000000005319000-memory.dmp	rezer0

Blocklisted process makes network request 1 IoCs

flow	pid	Process
21	3136	rundll32.exe

Executes dropped EXE 17 IoCs

pid	Process
4080	keygen-pr.exe
2076	keygen-step-3.exe
4424	keygen-step-4.exe
1572	key.exe
1968	Setup.exe
2172	key.exe
2872	1605720737643.exe
1864	BTRSetp.exe
5040	1605720740956.exe
3612	BTRSetp.exe
2632	juppp.exe
4824	jfiag_gg.exe
4412	jfiag_gg.exe
4532	id6.exe
4420	lcx.exe
1576	setup_full.exe
4464	wyfdggaa.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral15/files/0x000100000001ab75-73.dat	upx
behavioral15/files/0x000100000001ab75-72.dat	upx
behavioral15/files/0x000800000001ab6b-75.dat	upx
behavioral15/files/0x000800000001ab6b-76.dat	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	cmd.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kissq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kissq.exe"	juppp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wyfdggaa.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1968	Setup.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1572 set thread context of 2172	1572	key.exe	89
PID 1968 set thread context of 3136	1968	Setup.exe	92
PID 1968 set thread context of 3696	1968	Setup.exe	93
PID 1968 set thread context of 4508	1968	Setup.exe	94
PID 4508 set thread context of 708	4508	rundll32.exe	109
PID 1864 set thread context of 3612	1864	BTRSetp.exe	110

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4896	3612	WerFault.exe	110

Kills process with taskkill 2 IoCs

evasion

pid	Process
3772	taskkill.exe
2996	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000d474e9df4690eec1f6c982c9f9780bbfdc57113a3af7cff4136513458937fb861d6c9dcc6dca59af78bb2b2b15b0952ae47c67b39697a62e2935	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\iplogger.org\NumberOfSubdomai = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "v38k95l"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\iplogger.org\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 6c3a3b6c55add601	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{CEF399DC-9C67-4466-B0CA-5456B603D955} = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\iplogger.org\ = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersio = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "5"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
1468	PING.EXE
2972	PING.EXE
4756	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2872	1605720737643.exe
2872	1605720737643.exe
5040	1605720740956.exe
5040	1605720740956.exe
1572	key.exe
1572	key.exe
4896	WerFault.exe
4896	WerFault.exe
4896	WerFault.exe
4896	WerFault.exe
4896	WerFault.exe
4896	WerFault.exe
4896	WerFault.exe
4896	WerFault.exe
4896	WerFault.exe
4896	WerFault.exe
4896	WerFault.exe
4896	WerFault.exe
4896	WerFault.exe
4896	WerFault.exe
4896	WerFault.exe
4896	WerFault.exe
4412	jfiag_gg.exe
4412	jfiag_gg.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1288	MicrosoftEdgeCP.exe
1288	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeDebugPrivilege	3772	taskkill.exe
Token: SeDebugPrivilege	2996	taskkill.exe
Token: SeImpersonatePrivilege	1572	key.exe
Token: SeTcbPrivilege	1572	key.exe
Token: SeChangeNotifyPrivilege	1572	key.exe
Token: SeCreateTokenPrivilege	1572	key.exe
Token: SeBackupPrivilege	1572	key.exe
Token: SeRestorePrivilege	1572	key.exe
Token: SeIncreaseQuotaPrivilege	1572	key.exe
Token: SeAssignPrimaryTokenPrivilege	1572	key.exe
Token: SeImpersonatePrivilege	1572	key.exe
Token: SeTcbPrivilege	1572	key.exe
Token: SeChangeNotifyPrivilege	1572	key.exe
Token: SeCreateTokenPrivilege	1572	key.exe
Token: SeBackupPrivilege	1572	key.exe
Token: SeRestorePrivilege	1572	key.exe
Token: SeIncreaseQuotaPrivilege	1572	key.exe
Token: SeAssignPrimaryTokenPrivilege	1572	key.exe
Token: SeImpersonatePrivilege	1572	key.exe
Token: SeTcbPrivilege	1572	key.exe
Token: SeChangeNotifyPrivilege	1572	key.exe
Token: SeCreateTokenPrivilege	1572	key.exe
Token: SeBackupPrivilege	1572	key.exe
Token: SeRestorePrivilege	1572	key.exe
Token: SeIncreaseQuotaPrivilege	1572	key.exe
Token: SeAssignPrimaryTokenPrivilege	1572	key.exe
Token: SeImpersonatePrivilege	1572	key.exe
Token: SeTcbPrivilege	1572	key.exe
Token: SeChangeNotifyPrivilege	1572	key.exe
Token: SeCreateTokenPrivilege	1572	key.exe
Token: SeBackupPrivilege	1572	key.exe
Token: SeRestorePrivilege	1572	key.exe
Token: SeIncreaseQuotaPrivilege	1572	key.exe
Token: SeAssignPrimaryTokenPrivilege	1572	key.exe
Token: SeImpersonatePrivilege	1572	key.exe
Token: SeTcbPrivilege	1572	key.exe
Token: SeChangeNotifyPrivilege	1572	key.exe
Token: SeCreateTokenPrivilege	1572	key.exe
Token: SeBackupPrivilege	1572	key.exe
Token: SeRestorePrivilege	1572	key.exe
Token: SeIncreaseQuotaPrivilege	1572	key.exe
Token: SeAssignPrimaryTokenPrivilege	1572	key.exe
Token: SeRestorePrivilege	4896	WerFault.exe
Token: SeBackupPrivilege	4896	WerFault.exe
Token: SeDebugPrivilege	4896	WerFault.exe
Token: SeDebugPrivilege	4160	MicrosoftEdge.exe
Token: SeDebugPrivilege	4160	MicrosoftEdge.exe
Token: SeDebugPrivilege	4160	MicrosoftEdge.exe
Token: SeDebugPrivilege	4160	MicrosoftEdge.exe
Token: SeDebugPrivilege	1776	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1776	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1776	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1776	MicrosoftEdgeCP.exe
Token: SeManageVolumePrivilege	4464	wyfdggaa.exe
Token: SeManageVolumePrivilege	4464	wyfdggaa.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
708	rundll32.exe
4532	id6.exe
4532	id6.exe
4160	MicrosoftEdge.exe
4464	wyfdggaa.exe
1288	MicrosoftEdgeCP.exe
1288	MicrosoftEdgeCP.exe
4464	wyfdggaa.exe
4464	wyfdggaa.exe
4464	wyfdggaa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 3220	4744	Magic_File_v3_keygen_by_KeygenNinja.exe	78
PID 4744 wrote to memory of 3220	4744	Magic_File_v3_keygen_by_KeygenNinja.exe	78
PID 4744 wrote to memory of 3220	4744	Magic_File_v3_keygen_by_KeygenNinja.exe	78
PID 3220 wrote to memory of 4080	3220	cmd.exe	81
PID 3220 wrote to memory of 4080	3220	cmd.exe	81
PID 3220 wrote to memory of 4080	3220	cmd.exe	81
PID 3220 wrote to memory of 2076	3220	cmd.exe	82
PID 3220 wrote to memory of 2076	3220	cmd.exe	82
PID 3220 wrote to memory of 2076	3220	cmd.exe	82
PID 3220 wrote to memory of 4424	3220	cmd.exe	83
PID 3220 wrote to memory of 4424	3220	cmd.exe	83
PID 3220 wrote to memory of 4424	3220	cmd.exe	83
PID 2076 wrote to memory of 4512	2076	keygen-step-3.exe	84
PID 2076 wrote to memory of 4512	2076	keygen-step-3.exe	84
PID 2076 wrote to memory of 4512	2076	keygen-step-3.exe	84
PID 4512 wrote to memory of 1468	4512	cmd.exe	86
PID 4512 wrote to memory of 1468	4512	cmd.exe	86
PID 4512 wrote to memory of 1468	4512	cmd.exe	86
PID 4080 wrote to memory of 1572	4080	keygen-pr.exe	87
PID 4080 wrote to memory of 1572	4080	keygen-pr.exe	87
PID 4080 wrote to memory of 1572	4080	keygen-pr.exe	87
PID 4424 wrote to memory of 1968	4424	keygen-step-4.exe	88
PID 4424 wrote to memory of 1968	4424	keygen-step-4.exe	88
PID 4424 wrote to memory of 1968	4424	keygen-step-4.exe	88
PID 1572 wrote to memory of 2172	1572	key.exe	89
PID 1572 wrote to memory of 2172	1572	key.exe	89
PID 1572 wrote to memory of 2172	1572	key.exe	89
PID 1572 wrote to memory of 2172	1572	key.exe	89
PID 1572 wrote to memory of 2172	1572	key.exe	89
PID 1572 wrote to memory of 2172	1572	key.exe	89
PID 1572 wrote to memory of 2172	1572	key.exe	89
PID 1572 wrote to memory of 2172	1572	key.exe	89
PID 1572 wrote to memory of 2172	1572	key.exe	89
PID 1572 wrote to memory of 2172	1572	key.exe	89
PID 1572 wrote to memory of 2172	1572	key.exe	89
PID 1572 wrote to memory of 2172	1572	key.exe	89
PID 1572 wrote to memory of 2172	1572	key.exe	89
PID 1572 wrote to memory of 2172	1572	key.exe	89
PID 1572 wrote to memory of 2172	1572	key.exe	89
PID 1968 wrote to memory of 3136	1968	Setup.exe	92
PID 1968 wrote to memory of 3136	1968	Setup.exe	92
PID 1968 wrote to memory of 3136	1968	Setup.exe	92
PID 1968 wrote to memory of 3136	1968	Setup.exe	92
PID 1968 wrote to memory of 3136	1968	Setup.exe	92
PID 1968 wrote to memory of 3136	1968	Setup.exe	92
PID 1968 wrote to memory of 3136	1968	Setup.exe	92
PID 1968 wrote to memory of 3696	1968	Setup.exe	93
PID 1968 wrote to memory of 3696	1968	Setup.exe	93
PID 1968 wrote to memory of 3696	1968	Setup.exe	93
PID 1968 wrote to memory of 3696	1968	Setup.exe	93
PID 1968 wrote to memory of 3696	1968	Setup.exe	93
PID 1968 wrote to memory of 3696	1968	Setup.exe	93
PID 1968 wrote to memory of 3696	1968	Setup.exe	93
PID 1968 wrote to memory of 4508	1968	Setup.exe	94
PID 1968 wrote to memory of 4508	1968	Setup.exe	94
PID 1968 wrote to memory of 4508	1968	Setup.exe	94
PID 1968 wrote to memory of 4508	1968	Setup.exe	94
PID 1968 wrote to memory of 4508	1968	Setup.exe	94
PID 1968 wrote to memory of 4508	1968	Setup.exe	94
PID 1968 wrote to memory of 4508	1968	Setup.exe	94
PID 1968 wrote to memory of 4720	1968	Setup.exe	95
PID 1968 wrote to memory of 4720	1968	Setup.exe	95
PID 1968 wrote to memory of 4720	1968	Setup.exe	95
PID 3696 wrote to memory of 4716	3696	rundll32.exe	96

C:\Users\Admin\AppData\Local\Temp\Magic_File_v3_keygen_by_KeygenNinja.exe
"C:\Users\Admin\AppData\Local\Temp\Magic_File_v3_keygen_by_KeygenNinja.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4080
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1572
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        Executes dropped EXE
        
        PID:2172
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4512
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:1468
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4424
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Writes to the Master Boot Record (MBR)
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1968
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe 001 install5
        5⤵
        Blocklisted process makes network request
        Writes to the Master Boot Record (MBR)
        
        PID:3136
      - C:\Users\Admin\AppData\Roaming\1605720737643.exe
        
        "C:\Users\Admin\AppData\Roaming\1605720737643.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605720737643.txt"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2872
      - C:\Users\Admin\AppData\Roaming\1605720740956.exe
        
        "C:\Users\Admin\AppData\Roaming\1605720740956.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605720740956.txt"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5040
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe 002 install5
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3696
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3772
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im firefox.exe
        6⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im firefox.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe 003 install5
        5⤵
        Suspicious use of SetThreadContext
        
        PID:4508
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:708
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
        5⤵
        
        PID:4720
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        6⤵
        Runs ping.exe
        
        PID:2972
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:1864
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
        
        "{path}"
        5⤵
        Executes dropped EXE
        
        PID:3612
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 1380
        6⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\juppp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\juppp.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:2632
    - - C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
        5⤵
        Executes dropped EXE
        
        PID:4824
    - - C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4412
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\id6.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\id6.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4532
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\lcx.exe
        
        lcx.exe version2.txt
        5⤵
        Executes dropped EXE
        
        PID:4420
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\setup_full.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\setup_full.exe"
      4⤵
      Executes dropped EXE
      PID:1576
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX2\setup_full.exe"
        5⤵
        
        PID:2696
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        6⤵
        Runs ping.exe
        
        PID:4756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX2\DreamTrips.bat" "
      4⤵
      Checks computer location settings
      PID:816
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\wyfdggaa.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\wyfdggaa.exe"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4464

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4160

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5036

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1288

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/708-64-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1864-47-0x00000000713C0000-0x0000000071AAE000-memory.dmp

Filesize
6.9MB

Download
memory/1864-54-0x0000000004DA0000-0x0000000004DB7000-memory.dmp

Filesize
92KB

Download
memory/1864-55-0x0000000004DC0000-0x0000000004DCB000-memory.dmp

Filesize
44KB

Download
memory/1864-56-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/1864-49-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1864-65-0x0000000005310000-0x0000000005319000-memory.dmp

Filesize
36KB

Download
memory/1864-66-0x0000000005A90000-0x0000000005A91000-memory.dmp

Filesize
4KB

Download
memory/1864-53-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/1968-28-0x0000000010000000-0x0000000010196000-memory.dmp

Filesize
1.6MB

Download
memory/1968-23-0x0000000075B50000-0x0000000075BE3000-memory.dmp

Filesize
588KB

Download
memory/2172-27-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2172-24-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/3136-31-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/3136-34-0x00000000043F0000-0x00000000045E0000-memory.dmp

Filesize
1.9MB

Download
memory/3612-67-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3612-71-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3696-35-0x0000000005220000-0x0000000005410000-memory.dmp

Filesize
1.9MB

Download
memory/4420-307-0x0000000010000000-0x00000000100E3000-memory.dmp

Filesize
908KB

Download
memory/4508-41-0x0000000004500000-0x00000000046F0000-memory.dmp

Filesize
1.9MB

Download
memory/4896-261-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-268-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-236-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-239-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-240-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-241-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-242-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-243-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-238-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-245-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-244-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-246-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-247-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-248-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-249-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-250-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-252-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-253-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-251-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-254-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-255-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-257-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-258-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-259-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-260-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-256-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-262-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-263-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-235-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-264-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-266-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-265-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-267-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-237-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-269-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-270-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-271-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-273-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-274-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-275-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-276-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-277-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-278-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-272-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-279-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-281-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-282-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-280-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-283-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-284-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-285-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-227-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-169-0x0000000005CD0000-0x0000000005CD1000-memory.dmp

Filesize
4KB

Download
memory/4896-144-0x0000000005CD0000-0x0000000005CD1000-memory.dmp

Filesize
4KB

Download
memory/4896-136-0x0000000005CD0000-0x0000000005CD1000-memory.dmp

Filesize
4KB

Download
memory/4896-98-0x0000000005CD0000-0x0000000005CD1000-memory.dmp

Filesize
4KB

Download
memory/4896-95-0x0000000005CD0000-0x0000000005CD1000-memory.dmp

Filesize
4KB

Download
memory/4896-93-0x0000000005CD0000-0x0000000005CD1000-memory.dmp

Filesize
4KB

Download
memory/4896-234-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-233-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-231-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-232-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-230-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-229-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4896-228-0x0000000005C00000-0x0000000005C01000-memory.dmp

Filesize
4KB

Download
memory/4896-89-0x0000000005CD0000-0x0000000005CD1000-memory.dmp

Filesize
4KB

Download
memory/4896-77-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download