Resubmissions
13-02-2021 13:20
210213-v5rv7ejb7n 10Analysis
-
max time kernel
1800s -
max time network
1384s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-02-2021 13:20
Static task
static1
Behavioral task
behavioral1
Sample
Kepserverex_5_5_14_493_crack_by_CORE.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Kepserverex_5_5_14_493_crack_by_CORE.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Kepserverex_5_5_14_493_crack_by_CORE.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Kepserverex_5_5_14_493_crack_by_CORE.exe
Resource
win10v20201028
General
-
Target
Kepserverex_5_5_14_493_crack_by_CORE.exe
-
Size
9.0MB
-
MD5
10a7ec6eec9d29e7cf84477015651b65
-
SHA1
c6b132ff8919f5da4959d68b5a9cf86919ccebee
-
SHA256
a252756f1326333e8587740cfecad63d80ffd26dd49d6b9699d685fb5096b730
-
SHA512
34c53db9f782e6899004673c3c531b58aacc2153554fd2ca06b47d80d21f8d536912f4ec7f7336738e24b034f5a567b32cf99015ee8c01259902b63a86722aaa
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
smokeloader
2020
http://naritouzina.net/
http://nukaraguasleep.net/
http://notfortuaj.net/
http://natuturalistic.net/
http://zaniolofusa.net/
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Nirsoft 8 IoCs
resource yara_rule behavioral1/files/0x000100000001ab85-67.dat Nirsoft behavioral1/files/0x000100000001ab85-68.dat Nirsoft behavioral1/files/0x000100000001aba4-77.dat Nirsoft behavioral1/files/0x000100000001aba4-78.dat Nirsoft behavioral1/files/0x000200000001aba4-86.dat Nirsoft behavioral1/files/0x000200000001aba4-87.dat Nirsoft behavioral1/files/0x000100000001abb0-98.dat Nirsoft behavioral1/files/0x000100000001abb0-99.dat Nirsoft -
Executes dropped EXE 37 IoCs
pid Process 668 keygen-pr.exe 3084 keygen-step-1.exe 732 keygen-step-3.exe 856 keygen-step-4.exe 4004 key.exe 1188 Setup.exe 2296 key.exe 1700 6489A2274AE24900.exe 1092 6489A2274AE24900.exe 2292 md2_2efs.exe 4240 1613225902607.exe 4324 1613225907079.exe 4392 1613225912796.exe 4740 file.exe 5012 GDIView.exe 4180 67F2.tmp.exe 5100 67F2.tmp.exe 2756 BTRSetp.exe 4364 installer.exe 4384 8543617.93 4388 5503031.60 4568 6915393.76 4796 Windows Host.exe 4804 gdrrr.exe 4812 jfiag3g_gg.exe 1224 ThunderFW.exe 4088 jfiag3g_gg.exe 4308 MiniThunderPlatform.exe 4988 23E04C4F32EF2158.exe 5036 23E04C4F32EF2158.tmp 4620 seed.sfx.exe 768 seed.exe 5364 tjjbeji 5660 jfiag3g_gg.exe 5680 tjjbeji 5756 jfiag3g_gg.exe 5784 tjjbeji -
resource yara_rule behavioral1/files/0x000100000001ab7b-35.dat office_xlm_macros -
resource yara_rule behavioral1/files/0x000100000001abd6-165.dat upx behavioral1/files/0x000100000001abd6-164.dat upx behavioral1/files/0x000100000001abe1-180.dat upx behavioral1/files/0x000100000001abe1-181.dat upx -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6915393.76 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6915393.76 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation cmd.exe -
Loads dropped DLL 14 IoCs
pid Process 3696 MsiExec.exe 1700 6489A2274AE24900.exe 1700 6489A2274AE24900.exe 4308 MiniThunderPlatform.exe 4308 MiniThunderPlatform.exe 4308 MiniThunderPlatform.exe 4308 MiniThunderPlatform.exe 4308 MiniThunderPlatform.exe 4308 MiniThunderPlatform.exe 4308 MiniThunderPlatform.exe 768 seed.exe 5364 tjjbeji 5680 tjjbeji 5784 tjjbeji -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000100000001abcd-134.dat themida behavioral1/memory/4568-146-0x0000000000C40000-0x0000000000C41000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe" gdrrr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe" 5503031.60 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Setup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md2_2efs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6915393.76 -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 49 api.ipify.org 57 ip-api.com -
Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 MiniThunderPlatform.exe File opened for modification \??\PhysicalDrive0 Setup.exe File opened for modification \??\PhysicalDrive0 6489A2274AE24900.exe File opened for modification \??\PhysicalDrive0 6489A2274AE24900.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1188 Setup.exe 4568 6915393.76 -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 4004 set thread context of 2296 4004 key.exe 90 PID 1700 set thread context of 4912 1700 6489A2274AE24900.exe 106 PID 1700 set thread context of 4312 1700 6489A2274AE24900.exe 117 PID 1700 set thread context of 4380 1700 6489A2274AE24900.exe 119 PID 4180 set thread context of 5100 4180 67F2.tmp.exe 129 -
Drops file in Program Files directory 51 IoCs
description ioc Process File created C:\Program Files (x86)\HappyNewYear\is-8H8K0.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-K058O.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-JEC6L.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-293MT.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\lang\is-I8T6J.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\gdiview\gdiview\GDIView.exe msiexec.exe File created C:\Program Files (x86)\HappyNewYear\is-5LLJJ.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-7HMGI.tmp 23E04C4F32EF2158.tmp File opened for modification C:\Program Files (x86)\Seed Trade\Seed seed.sfx.exe File opened for modification C:\Program Files (x86)\Seed Trade\Seed\seed.exe seed.sfx.exe File created C:\Program Files (x86)\HappyNewYear\images\is-1CR65.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-76LNK.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-9QA74.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-ID6HC.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-JJF14.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-C0P45.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\gdiview\gdiview\readme.txt msiexec.exe File opened for modification C:\Program Files (x86)\HappyNewYear\seed.sfx.exe 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-U5A7D.tmp 23E04C4F32EF2158.tmp File opened for modification C:\Program Files (x86)\HappyNewYear\unins000.dat 23E04C4F32EF2158.tmp File opened for modification C:\Program Files (x86)\HappyNewYear\DreamTrip.exe 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-P09LB.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-QEUM5.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-4C2SC.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-8CCOE.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-EG38T.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-PUIK3.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\lang\is-07JV3.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\gdiview\gdiview\GDIView.chm msiexec.exe File created C:\Program Files (x86)\HappyNewYear\is-4MVRC.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-I7HMO.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-ADT1D.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\Seed Trade\Seed\__tmp_rar_sfx_access_check_259377921 seed.sfx.exe File created C:\Program Files (x86)\Seed Trade\Seed\seed.exe seed.sfx.exe File created C:\Program Files (x86)\HappyNewYear\images\is-JG9MR.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-K0EID.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-9EFUE.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-NF40M.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-HI11O.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-38RRT.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-1F89P.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-M69AG.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-IQDG4.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-FI3L3.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-IL784.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-CCT4O.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\images\is-DJ4VP.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\unins000.dat 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-OUBCO.tmp 23E04C4F32EF2158.tmp File created C:\Program Files (x86)\HappyNewYear\is-J46PC.tmp 23E04C4F32EF2158.tmp File opened for modification C:\Program Files (x86)\Seed Trade seed.sfx.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\Installer\f754e7e.msi msiexec.exe File opened for modification C:\Windows\Installer\f754e7e.msi msiexec.exe File created C:\Windows\Installer\SourceHash{9A2A452C-3057-4F5E-8C7F-41B0D566B831} msiexec.exe File opened for modification C:\Windows\Installer\MSI51E9.tmp msiexec.exe File created C:\Windows\Installer\f754e80.msi msiexec.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 4976 2292 WerFault.exe 104 4628 4384 WerFault.exe 135 -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName 6489A2274AE24900.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc 6489A2274AE24900.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc svchost.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI seed.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName 6489A2274AE24900.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 6489A2274AE24900.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI seed.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI tjjbeji Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 6489A2274AE24900.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI tjjbeji Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI tjjbeji Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 67F2.tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 67F2.tmp.exe -
Kills process with taskkill 1 IoCs
pid Process 5048 taskkill.exe -
Modifies Control Panel 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Colors MicrosoftEdge.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileVersion = "10" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "4ir3t70" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "320001410" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 299240381302d701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 0100000085833e0f3568e9f7a337b4504e58e18edd4de1373a59bb1a1a734f7f3c711cf6169279004adb46417cfcc01c93a5bf3672850c124453dd40f4a545745779284c629ab118a263b47a3683167a18b0455784854b07f9f142575ae96467c04e578c7f3b0bd74921dd5fde6b3a84e697c1ae11efe2af9055241513de23ac8a10f45125153bab543386efc754d79c6e7c47697961a7ae589e2f26d2239b85f5dff5f60cc85d09d2ba572594deb40dc07dafbfd27cedcc65ecc2d1505a6639dedb5867c2f3cf12c9d6d00720aa0a3618bcc26808e1d2a8ae5e76ed2622c62e9324fdafec385acc6ea8ab047d56a9234358c9daf02ed6f6b0169b20b31a6424aada376ac53696e3744ec49c6783fab3fa70ff5a6905674c4233bf7c74e4fe72c51d35f6838d3b06d5e9ac5fe8d10964752669dcec045b8033d51a5d621f7e5cd90d2081aadd50c9399a203cc4e06d6eff9893b38acc8d9a5c1cfba0d96abb71b1ca84de5bc61c1d037f141892503aef5de85a1734fea150b5273d2821675905b874e63116e89b57e1b943bf64c2fd24d334fb6bbb383d149618abb0aad01692914cad54758887e2ef0c MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658 = 03000000010000001400000083da05a9886f7658be73acf0a4930c0f99b92f011400000001000000140000003656896549cb5b9b2f3cac4216504d91b933d79104000000010000001000000062455357dd57cb80c32ab295743cccc00f00000001000000200000006811c6215f18c75fdbe32cf56bd66248562a7fa3ba459cfee338745061e583941900000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d705c000000010000000400000000100000180000000100000010000000bb048f1838395f6fc3a1f3d2b7e976542000000001000000dc060000308206d8308204c0a003020102020a613fb718000000000004300d06092a864886f70d01010b0500308188310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e31323030060355040313294d6963726f736f667420526f6f7420436572746966696361746520417574686f726974792032303131301e170d3131313031383232353531395a170d3236313031383233303531395a307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f66742053656375726520536572766572204341203230313130820222300d06092a864886f70d01010105000382020f003082020a0282020100d00bc0a4a81981e236e5e2aae5f3b2155875beb4e549f1e084f9bb0d64ef85c18155b8f3e7f16d40553dce8b6ad18493f5757c5ba4d47410ca32f323d3aeeecf9e0458c2d947cbd17c004148711b01671718afc6fe73037ee4ef439cef01712a1f81264377985457739d552bf09e8e7d060eac1b54f326f7f82308228b9e061d3738fd72d2cae563c19a5a7db26db352a96ee9aeb5fc8b36f99efaf61c581b9756a511e5b752dbbbe9f054bfb4ff2c6cb85d26cea00ad7df93ed7fddacf12c731ad9193755badd22788ea1d49b09f807223171b094aee0b0e726445790819715ce61ec65e24bf185521632f8b578aa7ecd4dec8321a4a89bbe9a6a04e0a31ccd56186cfd6b2f423ee237f272abd07873727bdeec0058e52130a3083a99ef9fc3f77a169665b5c381aff4397049aff6a9f66a0038f9b40819e01a35a55676225f6af269ae3ead58464db854f68941441e72b1bc122753d2c1ffb2cd50981eb5f4bbb6c28239d9ac1bf23b27846ab0c6260bd73a10e7b3db7cd356ac534c0bfa3b313774d8592bf9007919067bfd1c1d42d4410d2f050ed56b4923ffcfcdf87a82cfda3c2ddfe8d8120418ba1e8877b8981f1007bbc8057e0b09bf6bdde34e5bb0f9c784a63bca4c9f5b6229f7c7a2a89588702ce5c13f3c52234f409ac33185832fbf29f11d508f219607ceeff280c2447d9b62ef2fc37789ab454d533e0279d30203010001a382014b30820147301006092b06010401823715010403020100301d0603551d0e041604143656896549cb5b9b2f3cac4216504d91b933d791301906092b0601040182371402040c1e0a00530075006200430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301f0603551d23041830168014722d3a02319043b914054ee1eaa7c731d1238934305a0603551d1f04533051304fa04da04b8649687474703a2f2f63726c2e6d6963726f736f66742e636f6d2f706b692f63726c2f70726f64756374732f4d6963526f6f436572417574323031315f323031315f30335f32322e63726c305e06082b0601050507010104523050304e06082b060105050730028642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b692f63657274732f4d6963526f6f436572417574323031315f323031315f30335f32322e637274300d06092a864886f70d01010b0500038202010041c861c1f55b9e3e9131f1b0c6bf0901b49db69074d709dba62e0d9fc8e7763446af0760894c81b33cd5f4123575c273a5f54d848ccba45dafbf92f617085742957265057679adeed1bab82e54a35107ac68eb210ce32581c2cd2af2c3ffcfc2bd49189ac7f084c5f914bc6b95e596efb342d253d54aa012c4ae12765309560e9df7d3a6498850f28a2c9720a2be4e78ef0565b74ba11688de31c70842247ca47b9e9dbc60005e6297e393fca7fe5b7b25dfe4537f4bbee63ef0db0179421c6e856c7db64430fba5379293b2a5ee20ad3f53d5c9f4286b57c1f81d6ab7562ab627811ca62d9fe7f4d0318397a82ab6acbe1b41f5e4895f56fbda5ad35e7d5594107e5357f44a3d402ac8bd679f84e110eefdda6b158249fc461dff4506749c4214edc539d3b3cd0b832790435192f24482ae6e9a1517b219fac7456c98017bbf37a9b088a492bc3838e01de47c97981a2e5fef3865b7352fbd7f4f21fac48cd26f06f94935eadf200f25aaea60ab2c1f4b89fcb7fa5c54904b3ea2284f6ce45265c1fd901c8582886ee9a655dd21287945b014e50acce65fc4bbdb6134699fac2638f7c1294108152e4ca0f7f90c3ede5fab08092d83acac348362f4c949428925b56eb247c5b339a0b1201b2cb18e046fa530491cd046e9405bf4ad6ebadb824a87124a80094ddbdf76b9055b1be0bb20705f0025c7d30efa16ad7b229e7108 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 0984c5461302d701 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = c07e51b9a91ad701 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 8cbdd44d1302d701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion MicrosoftEdge.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD Setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576 Setup.exe -
Runs ping.exe 1 TTPs 5 IoCs
pid Process 4284 PING.EXE 4316 PING.EXE 4356 PING.EXE 1352 PING.EXE 4124 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4004 key.exe 4004 key.exe 4976 WerFault.exe 4976 WerFault.exe 4976 WerFault.exe 4976 WerFault.exe 4976 WerFault.exe 4976 WerFault.exe 4976 WerFault.exe 4976 WerFault.exe 4976 WerFault.exe 4976 WerFault.exe 4976 WerFault.exe 4976 WerFault.exe 4976 WerFault.exe 4976 WerFault.exe 4976 WerFault.exe 4976 WerFault.exe 4240 1613225902607.exe 4240 1613225902607.exe 4324 1613225907079.exe 4324 1613225907079.exe 4392 1613225912796.exe 4392 1613225912796.exe 2720 msiexec.exe 2720 msiexec.exe 5012 GDIView.exe 5012 GDIView.exe 5100 67F2.tmp.exe 5100 67F2.tmp.exe 4628 WerFault.exe 4628 WerFault.exe 4628 WerFault.exe 4628 WerFault.exe 4628 WerFault.exe 4628 WerFault.exe 4628 WerFault.exe 4628 WerFault.exe 4628 WerFault.exe 4628 WerFault.exe 4628 WerFault.exe 4628 WerFault.exe 4628 WerFault.exe 4628 WerFault.exe 4628 WerFault.exe 4628 WerFault.exe 4628 WerFault.exe 4628 WerFault.exe 4628 WerFault.exe 4088 jfiag3g_gg.exe 4088 jfiag3g_gg.exe 4568 6915393.76 4568 6915393.76 4568 6915393.76 5036 23E04C4F32EF2158.tmp 5036 23E04C4F32EF2158.tmp 768 seed.exe 768 seed.exe 2868 Process not Found 2868 Process not Found 2868 Process not Found 2868 Process not Found 2868 Process not Found 2868 Process not Found -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 1468 MicrosoftEdgeCP.exe 768 seed.exe 5364 tjjbeji 5680 tjjbeji 5784 tjjbeji -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3280 msiexec.exe Token: SeIncreaseQuotaPrivilege 3280 msiexec.exe Token: SeSecurityPrivilege 2720 msiexec.exe Token: SeCreateTokenPrivilege 3280 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3280 msiexec.exe Token: SeLockMemoryPrivilege 3280 msiexec.exe Token: SeIncreaseQuotaPrivilege 3280 msiexec.exe Token: SeMachineAccountPrivilege 3280 msiexec.exe Token: SeTcbPrivilege 3280 msiexec.exe Token: SeSecurityPrivilege 3280 msiexec.exe Token: SeTakeOwnershipPrivilege 3280 msiexec.exe Token: SeLoadDriverPrivilege 3280 msiexec.exe Token: SeSystemProfilePrivilege 3280 msiexec.exe Token: SeSystemtimePrivilege 3280 msiexec.exe Token: SeProfSingleProcessPrivilege 3280 msiexec.exe Token: SeIncBasePriorityPrivilege 3280 msiexec.exe Token: SeCreatePagefilePrivilege 3280 msiexec.exe Token: SeCreatePermanentPrivilege 3280 msiexec.exe Token: SeBackupPrivilege 3280 msiexec.exe Token: SeRestorePrivilege 3280 msiexec.exe Token: SeShutdownPrivilege 3280 msiexec.exe Token: SeDebugPrivilege 3280 msiexec.exe Token: SeAuditPrivilege 3280 msiexec.exe Token: SeSystemEnvironmentPrivilege 3280 msiexec.exe Token: SeChangeNotifyPrivilege 3280 msiexec.exe Token: SeRemoteShutdownPrivilege 3280 msiexec.exe Token: SeUndockPrivilege 3280 msiexec.exe Token: SeSyncAgentPrivilege 3280 msiexec.exe Token: SeEnableDelegationPrivilege 3280 msiexec.exe Token: SeManageVolumePrivilege 3280 msiexec.exe Token: SeImpersonatePrivilege 3280 msiexec.exe Token: SeCreateGlobalPrivilege 3280 msiexec.exe Token: SeCreateTokenPrivilege 3280 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3280 msiexec.exe Token: SeLockMemoryPrivilege 3280 msiexec.exe Token: SeIncreaseQuotaPrivilege 3280 msiexec.exe Token: SeMachineAccountPrivilege 3280 msiexec.exe Token: SeTcbPrivilege 3280 msiexec.exe Token: SeSecurityPrivilege 3280 msiexec.exe Token: SeTakeOwnershipPrivilege 3280 msiexec.exe Token: SeLoadDriverPrivilege 3280 msiexec.exe Token: SeSystemProfilePrivilege 3280 msiexec.exe Token: SeSystemtimePrivilege 3280 msiexec.exe Token: SeProfSingleProcessPrivilege 3280 msiexec.exe Token: SeIncBasePriorityPrivilege 3280 msiexec.exe Token: SeCreatePagefilePrivilege 3280 msiexec.exe Token: SeCreatePermanentPrivilege 3280 msiexec.exe Token: SeBackupPrivilege 3280 msiexec.exe Token: SeRestorePrivilege 3280 msiexec.exe Token: SeShutdownPrivilege 3280 msiexec.exe Token: SeDebugPrivilege 3280 msiexec.exe Token: SeAuditPrivilege 3280 msiexec.exe Token: SeSystemEnvironmentPrivilege 3280 msiexec.exe Token: SeChangeNotifyPrivilege 3280 msiexec.exe Token: SeRemoteShutdownPrivilege 3280 msiexec.exe Token: SeUndockPrivilege 3280 msiexec.exe Token: SeSyncAgentPrivilege 3280 msiexec.exe Token: SeEnableDelegationPrivilege 3280 msiexec.exe Token: SeManageVolumePrivilege 3280 msiexec.exe Token: SeImpersonatePrivilege 3280 msiexec.exe Token: SeCreateGlobalPrivilege 3280 msiexec.exe Token: SeCreateTokenPrivilege 3280 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3280 msiexec.exe Token: SeLockMemoryPrivilege 3280 msiexec.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3280 msiexec.exe 3280 msiexec.exe 5036 23E04C4F32EF2158.tmp -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 1188 Setup.exe 1700 6489A2274AE24900.exe 1092 6489A2274AE24900.exe 4912 firefox.exe 4240 1613225902607.exe 4312 firefox.exe 4324 1613225907079.exe 4380 firefox.exe 4392 1613225912796.exe 1224 ThunderFW.exe 4308 MiniThunderPlatform.exe 4988 23E04C4F32EF2158.exe 5036 23E04C4F32EF2158.tmp 4620 seed.sfx.exe 4640 MicrosoftEdge.exe 1468 MicrosoftEdgeCP.exe 1468 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 944 wrote to memory of 3300 944 Kepserverex_5_5_14_493_crack_by_CORE.exe 79 PID 944 wrote to memory of 3300 944 Kepserverex_5_5_14_493_crack_by_CORE.exe 79 PID 944 wrote to memory of 3300 944 Kepserverex_5_5_14_493_crack_by_CORE.exe 79 PID 3300 wrote to memory of 668 3300 cmd.exe 82 PID 3300 wrote to memory of 668 3300 cmd.exe 82 PID 3300 wrote to memory of 668 3300 cmd.exe 82 PID 3300 wrote to memory of 3084 3300 cmd.exe 83 PID 3300 wrote to memory of 3084 3300 cmd.exe 83 PID 3300 wrote to memory of 3084 3300 cmd.exe 83 PID 3300 wrote to memory of 732 3300 cmd.exe 84 PID 3300 wrote to memory of 732 3300 cmd.exe 84 PID 3300 wrote to memory of 732 3300 cmd.exe 84 PID 3300 wrote to memory of 856 3300 cmd.exe 85 PID 3300 wrote to memory of 856 3300 cmd.exe 85 PID 3300 wrote to memory of 856 3300 cmd.exe 85 PID 668 wrote to memory of 4004 668 keygen-pr.exe 86 PID 668 wrote to memory of 4004 668 keygen-pr.exe 86 PID 668 wrote to memory of 4004 668 keygen-pr.exe 86 PID 732 wrote to memory of 2760 732 keygen-step-3.exe 87 PID 732 wrote to memory of 2760 732 keygen-step-3.exe 87 PID 732 wrote to memory of 2760 732 keygen-step-3.exe 87 PID 856 wrote to memory of 1188 856 keygen-step-4.exe 89 PID 856 wrote to memory of 1188 856 keygen-step-4.exe 89 PID 856 wrote to memory of 1188 856 keygen-step-4.exe 89 PID 2760 wrote to memory of 1352 2760 cmd.exe 91 PID 2760 wrote to memory of 1352 2760 cmd.exe 91 PID 2760 wrote to memory of 1352 2760 cmd.exe 91 PID 4004 wrote to memory of 2296 4004 key.exe 90 PID 4004 wrote to memory of 2296 4004 key.exe 90 PID 4004 wrote to memory of 2296 4004 key.exe 90 PID 4004 wrote to memory of 2296 4004 key.exe 90 PID 4004 wrote to memory of 2296 4004 key.exe 90 PID 4004 wrote to memory of 2296 4004 key.exe 90 PID 4004 wrote to memory of 2296 4004 key.exe 90 PID 4004 wrote to memory of 2296 4004 key.exe 90 PID 4004 wrote to memory of 2296 4004 key.exe 90 PID 4004 wrote to memory of 2296 4004 key.exe 90 PID 4004 wrote to memory of 2296 4004 key.exe 90 PID 4004 wrote to memory of 2296 4004 key.exe 90 PID 4004 wrote to memory of 2296 4004 key.exe 90 PID 4004 wrote to memory of 2296 4004 key.exe 90 PID 4004 wrote to memory of 2296 4004 key.exe 90 PID 1188 wrote to memory of 3280 1188 Setup.exe 94 PID 1188 wrote to memory of 3280 1188 Setup.exe 94 PID 1188 wrote to memory of 3280 1188 Setup.exe 94 PID 2720 wrote to memory of 3696 2720 msiexec.exe 97 PID 2720 wrote to memory of 3696 2720 msiexec.exe 97 PID 2720 wrote to memory of 3696 2720 msiexec.exe 97 PID 1188 wrote to memory of 1700 1188 Setup.exe 98 PID 1188 wrote to memory of 1700 1188 Setup.exe 98 PID 1188 wrote to memory of 1700 1188 Setup.exe 98 PID 1188 wrote to memory of 1092 1188 Setup.exe 99 PID 1188 wrote to memory of 1092 1188 Setup.exe 99 PID 1188 wrote to memory of 1092 1188 Setup.exe 99 PID 1188 wrote to memory of 1628 1188 Setup.exe 102 PID 1188 wrote to memory of 1628 1188 Setup.exe 102 PID 1188 wrote to memory of 1628 1188 Setup.exe 102 PID 856 wrote to memory of 2292 856 keygen-step-4.exe 104 PID 856 wrote to memory of 2292 856 keygen-step-4.exe 104 PID 856 wrote to memory of 2292 856 keygen-step-4.exe 104 PID 1628 wrote to memory of 4124 1628 cmd.exe 105 PID 1628 wrote to memory of 4124 1628 cmd.exe 105 PID 1628 wrote to memory of 4124 1628 cmd.exe 105 PID 1700 wrote to memory of 4912 1700 6489A2274AE24900.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\Kepserverex_5_5_14_493_crack_by_CORE.exe"C:\Users\Admin\AppData\Local\Temp\Kepserverex_5_5_14_493_crack_by_CORE.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵
- Executes dropped EXE
PID:2296
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
PID:3084
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
PID:1352
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3280
-
-
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exeC:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 0011 installp15⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4912
-
-
C:\Users\Admin\AppData\Roaming\1613225902607.exe"C:\Users\Admin\AppData\Roaming\1613225902607.exe" /sjson "C:\Users\Admin\AppData\Roaming\1613225902607.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4240
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4312
-
-
C:\Users\Admin\AppData\Roaming\1613225907079.exe"C:\Users\Admin\AppData\Roaming\1613225907079.exe" /sjson "C:\Users\Admin\AppData\Roaming\1613225907079.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4324
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4380
-
-
C:\Users\Admin\AppData\Roaming\1613225912796.exe"C:\Users\Admin\AppData\Roaming\1613225912796.exe" /sjson "C:\Users\Admin\AppData\Roaming\1613225912796.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4392
-
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeC:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1224
-
-
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP6⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:4308
-
-
C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exeC:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe /silent6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4988 -
C:\Users\Admin\AppData\Local\Temp\is-RNS2I.tmp\23E04C4F32EF2158.tmp"C:\Users\Admin\AppData\Local\Temp\is-RNS2I.tmp\23E04C4F32EF2158.tmp" /SL5="$B00D4,815708,121344,C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe" /silent7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5036 -
C:\Program Files (x86)\HappyNewYear\seed.sfx.exe"C:\Program Files (x86)\HappyNewYear\seed.sfx.exe" -pX7mdks39WE0 -s18⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4620 -
C:\Program Files (x86)\Seed Trade\Seed\seed.exe"C:\Program Files (x86)\Seed Trade\Seed\seed.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:768
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c "start https://iplogger.org/14Zhe7"8⤵
- Checks computer location settings
PID:2116
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"6⤵PID:4508
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 37⤵
- Runs ping.exe
PID:4356
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exeC:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 200 installp15⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:1092 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:4984
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
PID:5048
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"6⤵PID:1324
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 37⤵
- Runs ping.exe
PID:4284
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 36⤵
- Runs ping.exe
PID:4124
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2292 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 29445⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:4976
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"4⤵
- Executes dropped EXE
PID:4740 -
C:\Users\Admin\AppData\Roaming\67F2.tmp.exe"C:\Users\Admin\AppData\Roaming\67F2.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4180 -
C:\Users\Admin\AppData\Roaming\67F2.tmp.exe"C:\Users\Admin\AppData\Roaming\67F2.tmp.exe"6⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5100
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"5⤵PID:4244
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
PID:4316
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"4⤵
- Executes dropped EXE
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\installer.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\installer.exe"5⤵
- Executes dropped EXE
PID:4364 -
C:\ProgramData\8543617.93"C:\ProgramData\8543617.93"6⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 7247⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:4628
-
-
-
C:\ProgramData\5503031.60"C:\ProgramData\5503031.60"6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4388 -
C:\ProgramData\Windows Host\Windows Host.exe"C:\ProgramData\Windows Host\Windows Host.exe"7⤵
- Executes dropped EXE
PID:4796
-
-
-
C:\ProgramData\6915393.76"C:\ProgramData\6915393.76"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4568
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\gdrrr.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\gdrrr.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4804 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
PID:4812
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4088
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
PID:5660
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
PID:5756
-
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DDB8CAD36971DD2CAF4BDD628A7C235D C2⤵
- Loads dropped DLL
PID:3696
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4560
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1384
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3584
-
C:\Program Files (x86)\gdiview\gdiview\GDIView.exe"C:\Program Files (x86)\gdiview\gdiview\GDIView.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5012
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4640
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:4348
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1468
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:788
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵PID:2372
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:4108
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:5184
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:5268
-
C:\Users\Admin\AppData\Roaming\tjjbejiC:\Users\Admin\AppData\Roaming\tjjbeji1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:5364
-
C:\Users\Admin\AppData\Roaming\tjjbejiC:\Users\Admin\AppData\Roaming\tjjbeji1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5680
-
C:\Users\Admin\AppData\Roaming\tjjbejiC:\Users\Admin\AppData\Roaming\tjjbeji1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5784