plugx | e55e95de03dff2a35cb8304d855c944a5309c56ff8d369af0a542e600faa6808

Analysis

max time kernel
150s
max time network
151s
platform
windows10_x64
resource
win10v20210408
submitted
31-05-2021 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28A5B3BC1801EA6443643F1AD8710A82.exe
Size

3.1MB
MD5

28a5b3bc1801ea6443643f1ad8710a82
SHA1

8be30d706d5de45bfdba5ff38caba3e9e982fa1b
SHA256

e55e95de03dff2a35cb8304d855c944a5309c56ff8d369af0a542e600faa6808
SHA512

8c7ed424f54f0f05ab03c99a47db60c6a2c3a29f2e251f62f16c1dea3861571ac5ecc5b55612b9fa69230babe35d7ff779aae65e19d34a0558e459c4e5bed24d

Score

10^/10

plugx smokeloader backdoor evasion spyware stealer trojan upx vmprotect

Malware Config

Extracted

Family

smokeloader

Version

2020

http://20xbtc.com/upload/

http://yzsnw.com/upload/

http://kaledebiyat.com/upload/

http://expertizizmir.com/upload/

http://dedkndy.com/upload/

http://theuncu.com/upload/

rc4.i32

Signatures

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4648 created 4180	4648	WerFault.exe	104

Executes dropped EXE 11 IoCs

pid	Process
2876	jg3_3uag.exe
3668	KRSetp.exe
3424	jg3_3uag.exe
4272	Files.exe
4296	Folder.exe
4364	pzyh.exe
4396	pub2.exe
4500	File.exe
4564	jfiag3g_gg.exe
4848	jfiag3g_gg.exe
4180	avawewb

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000300000001ab2d-219.dat	upx
behavioral2/files/0x000300000001ab2d-220.dat	upx
behavioral2/files/0x000100000001ab73-255.dat	upx
behavioral2/files/0x000100000001ab73-256.dat	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x000200000001ab14-128.dat	vmprotect
behavioral2/files/0x000200000001ab14-129.dat	vmprotect
behavioral2/memory/3424-133-0x0000000000400000-0x00000000005DE000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	28A5B3BC1801EA6443643F1AD8710A82.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	Files.exe

Loads dropped DLL 2 IoCs

pid	Process
4672	rUNdlL32.eXe
4396	pub2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg3_3uag.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent BF92C5E7555991BC	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2228 set thread context of 4816	2228	svchost.exe	91

autoit_exe 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000200000001ab47-149.dat	autoit_exe
behavioral2/files/0x000200000001ab47-150.dat	autoit_exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4648	4180	WerFault.exe	104

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedWidth = "800"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 1d24df8b702cd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 942677295a56d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45AC2TN3-666M-M32E-TO40-1MIP137D5TOZ}\1 = "5212"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "fyl6jcg"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 1d24df8b702cd701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 6855083d5a56d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000345449e6267244c4caa52038d96953f03c05d594196fb2e6737de3fe236e24e90747653d79b8a4c5e571042504211848337f76588721e7c14d05c16878f61773f34f1a1711bf045f1ffcd937efa1cd74e59d2a9e5ae52ca4b35a3b617f17b7784e8d6ededa279fa1a763f84c118bd3b49081d12b135ac1b78a9c08ff257138ef541f00ffc79070696ec87b91797df710584a0f7bbb1f9cd5fbeb44de6aa4ee8e9d2615a3a19afc288d49156fd7180d781318ee6026d6d498a96755e5b14f2782d3c227bf3ae655c3490856692ffd986fa90a17004d1e097f8f3010e0ec14cc911d14566e7d12de76442438eff4ca9850f1427010b396c11daa66f2e6c59287f2743add9f67bfe8d78ebc8e226d21461708dfd66e61e0d7619d299296da69d79792553c12e68d6bd971f27297e2a0f0c02d014206709b91e4db990c1bf639c61b3b8657a18a1c23eaede486fe88e87c3a6bc8fa02ff66cd4db0d61e060ea261366aeb36e0900c6a1f6bb4bbac2a9aacdeb5531d5336e315c3b8002ff81744e6c1e7a5840972fe686bcd8001e4c45431879ac43e83f5b06a70bb4698792186b023f3b54f1c1cf4	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 1d24df8b702cd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20EP1MI0-142C-L17D-YD26-2GCP283P3KMT}\1 = "5128"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = f056554dd378d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4672	rUNdlL32.eXe
4672	rUNdlL32.eXe
2228	svchost.exe
2228	svchost.exe
4396	pub2.exe
4396	pub2.exe
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4396	pub2.exe
4632	MicrosoftEdgeCP.exe
4632	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3668	KRSetp.exe
Token: SeDebugPrivilege	2720	MicrosoftEdge.exe
Token: SeDebugPrivilege	2720	MicrosoftEdge.exe
Token: SeDebugPrivilege	2720	MicrosoftEdge.exe
Token: SeDebugPrivilege	2720	MicrosoftEdge.exe
Token: SeDebugPrivilege	4672	rUNdlL32.eXe
Token: SeDebugPrivilege	2228	svchost.exe
Token: SeDebugPrivilege	4672	rUNdlL32.eXe
Token: SeDebugPrivilege	4672	rUNdlL32.eXe
Token: SeDebugPrivilege	4672	rUNdlL32.eXe
Token: SeDebugPrivilege	4672	rUNdlL32.eXe
Token: SeDebugPrivilege	4672	rUNdlL32.eXe
Token: SeDebugPrivilege	4672	rUNdlL32.eXe
Token: SeDebugPrivilege	4672	rUNdlL32.eXe
Token: SeDebugPrivilege	4648	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4648	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4648	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4648	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4672	rUNdlL32.eXe
Token: SeDebugPrivilege	4672	rUNdlL32.eXe
Token: SeDebugPrivilege	4672	rUNdlL32.eXe
Token: SeDebugPrivilege	4672	rUNdlL32.eXe
Token: SeDebugPrivilege	4672	rUNdlL32.eXe
Token: SeDebugPrivilege	2720	MicrosoftEdge.exe
Token: SeManageVolumePrivilege	3424	jg3_3uag.exe
Token: SeManageVolumePrivilege	3424	jg3_3uag.exe
Token: SeManageVolumePrivilege	3424	jg3_3uag.exe
Token: SeManageVolumePrivilege	3424	jg3_3uag.exe
Token: SeManageVolumePrivilege	3424	jg3_3uag.exe
Token: SeShutdownPrivilege	3024	Process not Found
Token: SeCreatePagefilePrivilege	3024	Process not Found
Token: SeShutdownPrivilege	3024	Process not Found
Token: SeCreatePagefilePrivilege	3024	Process not Found
Token: SeShutdownPrivilege	3024	Process not Found
Token: SeCreatePagefilePrivilege	3024	Process not Found
Token: SeAuditPrivilege	2416	svchost.exe
Token: SeAuditPrivilege	2416	svchost.exe
Token: SeShutdownPrivilege	3024	Process not Found
Token: SeCreatePagefilePrivilege	3024	Process not Found
Token: SeShutdownPrivilege	3024	Process not Found
Token: SeCreatePagefilePrivilege	3024	Process not Found
Token: SeShutdownPrivilege	3024	Process not Found
Token: SeCreatePagefilePrivilege	3024	Process not Found
Token: SeShutdownPrivilege	3024	Process not Found
Token: SeCreatePagefilePrivilege	3024	Process not Found
Token: SeShutdownPrivilege	3024	Process not Found
Token: SeCreatePagefilePrivilege	3024	Process not Found
Token: SeShutdownPrivilege	3024	Process not Found
Token: SeCreatePagefilePrivilege	3024	Process not Found
Token: SeShutdownPrivilege	3024	Process not Found
Token: SeCreatePagefilePrivilege	3024	Process not Found
Token: SeShutdownPrivilege	3024	Process not Found
Token: SeCreatePagefilePrivilege	3024	Process not Found
Token: SeShutdownPrivilege	3024	Process not Found
Token: SeCreatePagefilePrivilege	3024	Process not Found
Token: SeShutdownPrivilege	3024	Process not Found
Token: SeCreatePagefilePrivilege	3024	Process not Found
Token: SeShutdownPrivilege	3024	Process not Found
Token: SeCreatePagefilePrivilege	3024	Process not Found
Token: SeShutdownPrivilege	3024	Process not Found
Token: SeCreatePagefilePrivilege	3024	Process not Found
Token: SeShutdownPrivilege	3024	Process not Found
Token: SeCreatePagefilePrivilege	3024	Process not Found
Token: SeAuditPrivilege	2416	svchost.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
4500	File.exe
4500	File.exe
4500	File.exe
4500	File.exe
4500	File.exe
4500	File.exe
4500	File.exe
4500	File.exe
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found

Suspicious use of SendNotifyMessage 10 IoCs

pid	Process
4500	File.exe
4500	File.exe
4500	File.exe
4500	File.exe
4500	File.exe
4500	File.exe
4500	File.exe
4500	File.exe
3024	Process not Found
3024	Process not Found

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2720	MicrosoftEdge.exe
4532	MicrosoftEdgeCP.exe
4532	MicrosoftEdgeCP.exe
2136	MicrosoftEdge.exe
4632	MicrosoftEdgeCP.exe
4632	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3024	Process not Found

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 2876	4024	28A5B3BC1801EA6443643F1AD8710A82.exe	75
PID 4024 wrote to memory of 2876	4024	28A5B3BC1801EA6443643F1AD8710A82.exe	75
PID 4024 wrote to memory of 2876	4024	28A5B3BC1801EA6443643F1AD8710A82.exe	75
PID 4024 wrote to memory of 3668	4024	28A5B3BC1801EA6443643F1AD8710A82.exe	77
PID 4024 wrote to memory of 3668	4024	28A5B3BC1801EA6443643F1AD8710A82.exe	77
PID 2876 wrote to memory of 3424	2876	jg3_3uag.exe	78
PID 2876 wrote to memory of 3424	2876	jg3_3uag.exe	78
PID 2876 wrote to memory of 3424	2876	jg3_3uag.exe	78
PID 4024 wrote to memory of 4272	4024	28A5B3BC1801EA6443643F1AD8710A82.exe	82
PID 4024 wrote to memory of 4272	4024	28A5B3BC1801EA6443643F1AD8710A82.exe	82
PID 4024 wrote to memory of 4272	4024	28A5B3BC1801EA6443643F1AD8710A82.exe	82
PID 4024 wrote to memory of 4296	4024	28A5B3BC1801EA6443643F1AD8710A82.exe	83
PID 4024 wrote to memory of 4296	4024	28A5B3BC1801EA6443643F1AD8710A82.exe	83
PID 4024 wrote to memory of 4296	4024	28A5B3BC1801EA6443643F1AD8710A82.exe	83
PID 4024 wrote to memory of 4364	4024	28A5B3BC1801EA6443643F1AD8710A82.exe	85
PID 4024 wrote to memory of 4364	4024	28A5B3BC1801EA6443643F1AD8710A82.exe	85
PID 4024 wrote to memory of 4364	4024	28A5B3BC1801EA6443643F1AD8710A82.exe	85
PID 4024 wrote to memory of 4396	4024	28A5B3BC1801EA6443643F1AD8710A82.exe	86
PID 4024 wrote to memory of 4396	4024	28A5B3BC1801EA6443643F1AD8710A82.exe	86
PID 4024 wrote to memory of 4396	4024	28A5B3BC1801EA6443643F1AD8710A82.exe	86
PID 4272 wrote to memory of 4500	4272	Files.exe	87
PID 4272 wrote to memory of 4500	4272	Files.exe	87
PID 4272 wrote to memory of 4500	4272	Files.exe	87
PID 4296 wrote to memory of 4672	4296	Folder.exe	90
PID 4296 wrote to memory of 4672	4296	Folder.exe	90
PID 4296 wrote to memory of 4672	4296	Folder.exe	90
PID 4672 wrote to memory of 2228	4672	rUNdlL32.eXe	68
PID 2228 wrote to memory of 4816	2228	svchost.exe	91
PID 2228 wrote to memory of 4816	2228	svchost.exe	91
PID 4672 wrote to memory of 2596	4672	rUNdlL32.eXe	32
PID 2228 wrote to memory of 4816	2228	svchost.exe	91
PID 4672 wrote to memory of 68	4672	rUNdlL32.eXe	61
PID 4672 wrote to memory of 2484	4672	rUNdlL32.eXe	34
PID 4672 wrote to memory of 2416	4672	rUNdlL32.eXe	36
PID 4672 wrote to memory of 1120	4672	rUNdlL32.eXe	55
PID 4672 wrote to memory of 1032	4672	rUNdlL32.eXe	57
PID 4672 wrote to memory of 1448	4672	rUNdlL32.eXe	11
PID 4672 wrote to memory of 1896	4672	rUNdlL32.eXe	44
PID 4672 wrote to memory of 1268	4672	rUNdlL32.eXe	52
PID 4672 wrote to memory of 1316	4672	rUNdlL32.eXe	50
PID 4672 wrote to memory of 2752	4672	rUNdlL32.eXe	28
PID 4672 wrote to memory of 2760	4672	rUNdlL32.eXe	27
PID 4364 wrote to memory of 4564	4364	pzyh.exe	95
PID 4364 wrote to memory of 4564	4364	pzyh.exe	95
PID 4364 wrote to memory of 4564	4364	pzyh.exe	95
PID 4632 wrote to memory of 3880	4632	MicrosoftEdgeCP.exe	100
PID 4632 wrote to memory of 3880	4632	MicrosoftEdgeCP.exe	100
PID 4632 wrote to memory of 3880	4632	MicrosoftEdgeCP.exe	100
PID 4632 wrote to memory of 3880	4632	MicrosoftEdgeCP.exe	100
PID 4632 wrote to memory of 3880	4632	MicrosoftEdgeCP.exe	100
PID 4632 wrote to memory of 3880	4632	MicrosoftEdgeCP.exe	100
PID 4364 wrote to memory of 4848	4364	pzyh.exe	101
PID 4364 wrote to memory of 4848	4364	pzyh.exe	101
PID 4364 wrote to memory of 4848	4364	pzyh.exe	101
PID 1032 wrote to memory of 4180	1032	svchost.exe	104
PID 1032 wrote to memory of 4180	1032	svchost.exe	104
PID 1032 wrote to memory of 4180	1032	svchost.exe	104

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1448

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2760

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2752

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2596

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2484

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2416

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1896

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1316

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1268

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1120

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Users\Admin\AppData\Roaming\avawewb
  C:\Users\Admin\AppData\Roaming\avawewb
  2⤵
  - Executes dropped EXE
  PID:4180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 260
    3⤵
    - Suspicious use of NtCreateProcessExOtherParentProcess
    - Drops file in Windows directory
    - Program crash
    PID:4648

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:68

C:\Users\Admin\AppData\Local\Temp\28A5B3BC1801EA6443643F1AD8710A82.exe
"C:\Users\Admin\AppData\Local\Temp\28A5B3BC1801EA6443643F1AD8710A82.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe
  "C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg3_3uag.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg3_3uag.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    PID:3424
- C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3668
- C:\Users\Admin\AppData\Local\Temp\Files.exe
  "C:\Users\Admin\AppData\Local\Temp\Files.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\File.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\File.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4500
- C:\Users\Admin\AppData\Local\Temp\Folder.exe
  "C:\Users\Admin\AppData\Local\Temp\Folder.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Windows\SysWOW64\rUNdlL32.eXe
    "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setpwd
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4672
- C:\Users\Admin\AppData\Local\Temp\pzyh.exe
  "C:\Users\Admin\AppData\Local\Temp\pzyh.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    PID:4564
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    PID:4848
- C:\Users\Admin\AppData\Local\Temp\pub2.exe
  "C:\Users\Admin\AppData\Local\Temp\pub2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4396

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Modifies registry class
  PID:4816

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2720

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2988

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4532

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2136

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4132

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4632

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3880

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/68-198-0x000001F5A3030000-0x000001F5A30A0000-memory.dmp

Filesize
448KB

Download
memory/1032-181-0x00000229A8860000-0x00000229A88D0000-memory.dmp

Filesize
448KB

Download
memory/1120-175-0x0000022DEB750000-0x0000022DEB7C0000-memory.dmp

Filesize
448KB

Download
memory/1120-172-0x0000022DEAD70000-0x0000022DEADBB000-memory.dmp

Filesize
300KB

Download
memory/1268-199-0x000002A94F1D0000-0x000002A94F240000-memory.dmp

Filesize
448KB

Download
memory/1316-205-0x00000280C1F70000-0x00000280C1FE0000-memory.dmp

Filesize
448KB

Download
memory/1448-188-0x0000024AA2900000-0x0000024AA2970000-memory.dmp

Filesize
448KB

Download
memory/1896-193-0x0000021BF0CD0000-0x0000021BF0D40000-memory.dmp

Filesize
448KB

Download
memory/2228-180-0x000002E256A10000-0x000002E256A80000-memory.dmp

Filesize
448KB

Download
memory/2416-169-0x0000011F466B0000-0x0000011F46720000-memory.dmp

Filesize
448KB

Download
memory/2484-204-0x000002D76D070000-0x000002D76D0E0000-memory.dmp

Filesize
448KB

Download
memory/2596-187-0x000001F72A790000-0x000001F72A800000-memory.dmp

Filesize
448KB

Download
memory/2752-210-0x000001E5E9040000-0x000001E5E90B0000-memory.dmp

Filesize
448KB

Download
memory/2760-214-0x0000024613A40000-0x0000024613AB0000-memory.dmp

Filesize
448KB

Download
memory/3024-221-0x0000000000D40000-0x0000000000D56000-memory.dmp

Filesize
88KB

Download
memory/3424-223-0x0000000003530000-0x0000000003540000-memory.dmp

Filesize
64KB

Download
memory/3424-229-0x00000000036D0000-0x00000000036E0000-memory.dmp

Filesize
64KB

Download
memory/3424-133-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3424-236-0x0000000004C20000-0x0000000004C28000-memory.dmp

Filesize
32KB

Download
memory/3424-235-0x00000000048E0000-0x00000000048E8000-memory.dmp

Filesize
32KB

Download
memory/3668-126-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/3668-131-0x000000001B3E0000-0x000000001B3E2000-memory.dmp

Filesize
8KB

Download
memory/3668-124-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/3668-132-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/3668-130-0x0000000000FC0000-0x0000000000FE0000-memory.dmp

Filesize
128KB

Download
memory/4180-263-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4180-262-0x0000000000460000-0x00000000005AA000-memory.dmp

Filesize
1.3MB

Download
memory/4396-217-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4396-216-0x0000000000460000-0x000000000050E000-memory.dmp

Filesize
696KB

Download
memory/4672-168-0x0000000004435000-0x0000000004536000-memory.dmp

Filesize
1.0MB

Download
memory/4672-170-0x0000000000EB0000-0x0000000000F0C000-memory.dmp

Filesize
368KB

Download
memory/4816-192-0x0000022AC5940000-0x0000022AC59B0000-memory.dmp

Filesize
448KB

Download