golddragon | hxxp://alebastersbastard[.]com/index_files/

Analysis

max time kernel
545s
max time network
431s
platform
windows10_x64
resource
win10v20210410
submitted
23-08-2021 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://alebastersbastard.com/index_files/
Sample

210823-5ldyycyrde

Score

10^/10

golddragon backdoor discovery

Malware Config

Signatures

GoldDragon
GoldDragon is a second-stage backdoor attributed to Kimsuky.
backdoor golddragon
Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
3448	ebook.exe
2224	ebook.tmp
4700	ebookreader.exe
2956	ebook_reader_setup.exe
2944	ebook_reader_setup.tmp
1784	ebookreader.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	ebookreader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	ebook_reader_setup.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	ebook.tmp

Loads dropped DLL 64 IoCs

pid	Process
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
1784	ebookreader.exe
1784	ebookreader.exe
1784	ebookreader.exe
1784	ebookreader.exe
1784	ebookreader.exe
1784	ebookreader.exe
1784	ebookreader.exe
1784	ebookreader.exe
1784	ebookreader.exe
1784	ebookreader.exe
1784	ebookreader.exe
1784	ebookreader.exe
1784	ebookreader.exe
1784	ebookreader.exe
1784	ebookreader.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-95J8D.tmp	ebook.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-S39KJ.tmp	ebook_reader_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\unins000.dat	ebook_reader_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\imageformats\qicns.dll	ebook.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\icuuc54.dll	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-S2TPO.tmp	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-H501Q.tmp	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-1QP4K.tmp	ebook.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-U7B31.tmp	ebook.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\Qt5Qml.dll	ebook_reader_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\quazip.dll	ebook_reader_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\vcomp100.dll	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-JUV40.tmp	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-R96E6.tmp	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-BFR77.tmp	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-PN6EM.tmp	ebook.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-5NKNN.tmp	ebook_reader_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\ebooksvc.exe	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-D32Q1.tmp	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\unins000.msg	ebook.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\Qt5Gui.dll	ebook.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\imageformats\qwbmp.dll	ebook.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-V3VND.tmp	ebook.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\unrar.dll	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-S6B47.tmp	ebook_reader_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\libEGL.dll	ebook.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-926NB.tmp	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\imageformats\is-K3PGU.tmp	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-HUSC3.tmp	ebook_reader_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\CrashSender1403.exe	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-LLUM2.tmp	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-T63QL.tmp	ebook.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\Qt5Sensors.dll	ebook.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-OUA5U.tmp	ebook.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-EUGAH.tmp	ebook.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\icudt54.dll	ebook_reader_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\ebookreader.exe	ebook.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\imageformats\is-7J7EJ.tmp	ebook.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-3FKH6.tmp	ebook.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\Qt5Gui.dll	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-MU417.tmp	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-HIDPR.tmp	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-60EDQ.tmp	ebook.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\Qt5PrintSupport.dll	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-NDBG0.tmp	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-AI18T.tmp	ebook.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-B862M.tmp	ebook.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-IM9NI.tmp	ebook.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\Qt5Sensors.dll	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-4Q8BM.tmp	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-JJRH7.tmp	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-0RO2B.tmp	ebook.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-G84LF.tmp	ebook.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-HMH2S.tmp	ebook.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-PQ3TP.tmp	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-DKE9E.tmp	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-U6BJ2.tmp	ebook_reader_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\Qt5Network.dll	ebook.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\imageformats\qjpeg.dll	ebook.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\imageformats\qtiff.dll	ebook.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-62PK8.tmp	ebook.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-K8GHB.tmp	ebook.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-07L9A.tmp	ebook.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\imageformats\qwbmp.dll	ebook_reader_setup.tmp

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 339704ea112ed701	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30906471"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30906471"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d06cf2b06798d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000067abca05553e624a921ede633ed96db900000000020000000000106600000001000020000000d4539cc9e25f6c51250f092ec48453f8b453dd79521a8662bcc6aeaa5c1b037c000000000e8000000002000020000000f4c9829dab4659654fd1bdd7d623f27326a35308b2ad61cb910818d60784c8cc20000000fab17af86c85f17426252ea51555a55500f9ab528f3ca7cf2125c071754b0ce3400000008620c0689da55e7cb1afdc4745d56f1b0726732d55778e02e11699b132bd12baeaa7522cdbce9db15754484b0051dd568b31fc54eb085c24bd640837843736ae	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30aad71e6898d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30906471"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000067abca05553e624a921ede633ed96db9000000000200000000001066000000010000200000009a1da63971ce2c53ee727117c60a6d2b40dafeafd4121c9dfd919ba06ff34b0c000000000e8000000002000020000000e1a6e5c3b32ef21bbe093e9339e801902d68c0df252a7d5a0a9d6a700a4ee20f2000000089eda61ec6b6871b18f8a7b9932bbdba4919db9ced213e75c03f323582e0178d4000000085e8aaa1891c548c25ab8078a85a407326f30ca314ab53957a255807a4efc1a00945951203f7fd51da475d2eebc60f37a2eca03a58b081bdc060725549764e81	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2949148826"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2949148826"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{F59078FE-D052-4E54-8812-AD41DF360119}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "336519856"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "336568442"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000067abca05553e624a921ede633ed96db900000000020000000000106600000001000020000000ced0ac835434381a403ee45d1ef67ddad1fe13f229bf3ca8fc95d240fa1ac603000000000e8000000002000020000000061c469e1c1b6cc80a332c6ed6506c355b9d6e11fe0ab65c21f3489946a52dbf80010000a31d70f55af6660c2d0110fb1cdbe6163226db491e3a638b36e75a9a2da96cb97afb850ff732959c2869e30be385842843181a3a606a91ba895ac05a3d0124a5f8766328da3a78761268799cbf6d6cb9aa0ba653218c9c13f950a4dfc3550e284f453beec23f4b3c51e3ca166e5ec4983d02f26ecf3d790e8d44bd1b52431e3c5a0c4761610ff5bfc647f07db1001115a3ce49f4757540b0c47c1a4d513edabb8f4d587b57431e2dd8c92723338527aab762403f4d748cc5a243a06f7df65761a81cf22cd7604eac98842cbc8fbcda8093488f12076190063866e03967e13d4dbe69ca4ccfd59284913faf4d74ebebd1438a9cf2f2ba16f2c8773e9ac0f32a48d6b710981fc43107eb14476af577b8bb62379ecd529b8e546c0ecccf5ca7b406a32ae21a3a08cc229f261572d75c45615827931cee5329c1b27440f780851ddd2720a31399555efd3ac1c5b6be7c423fed268a05ef40bc1a123d6ad0c2314e035a3b3b142ff90bf740ff9351909f584f150c88e112595cd54e8327feb66d45514000000001ff0fcdf30cac6d0738b55a4c745e468f3193396603343e835697e37d495749623db9459ac218b65c0433ba6c6d505805a3e26ab49246601bd3a0264ba5d01b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000067abca05553e624a921ede633ed96db900000000020000000000106600000001000020000000e814fd236bc9b6371af712c580511b9594b62905b596135ef681d39199c86afb000000000e8000000002000020000000389ff997d6b2c99d73e82d4cfc0d179ab8c11427483b1384d0e1e45e56810a5c80010000deecd83bc7bd03a3524f3484f8f3dce184d7575f1f72cc57bc5c3ee9f234a8c3662340c7fcff1c2706f60b9ce0f5c114c515297f08941090320811882190a6f4a08d37dab9874188ca6cc3def574e5a8be32ec712597c1bc53e6627254141234d7f66d80a6bb798bae99ad0d873b840bdec645ad27f9f46cc8c82fa2e0f2d918cb91e1a99c1494b3cff9543cb684f0ff396ff151b4db2eeccfe593ecfdc402c6b4bc198b404b56c3533711509127a14423213c4db695fa18037e2f1bd6104fc0bed450757014b9527c1f7ac90270132f6881dd32256c383ed6ff5ee340f45ab42e94484182dc2849bacf1c9a3b23859d3d4433067ff4850ee64fe7013bcbf903b7a2cc8ccfa1fe3a030f6c01ac1e107d40543432f32088320feba5d5fb5b73e32f5ed10453d15d81f82f551655810bff6954e1a59442187111f75528c475f120dd25b47281c9269769056120b1267791a71e973b6fa70a2929fdaf07334efa2c1b7e62b43e5772ef643c208c0ce15e8bb2c37403bd5a0c61efcf38d189aeb33a4000000076a9d9fad1e98ba80d7d4a431ffb3d5e0aea43ce425c06164d6549129dd07e6831a6fc82ad4f0a3bc0293d0189f34faf9952de0949b60c87064f42fa90a8a77b	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DB12BC63-045A-11EC-A11C-DA8E4795D742} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2961648109"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f085e6b06798d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000067abca05553e624a921ede633ed96db900000000020000000000106600000001000020000000a525b411497cf29531c0ef2e1b9392c680334e98ad3e04a3b41380bfe5337b72000000000e8000000002000020000000a479ccf456d062d8c5aa27ed58a8bde3c7843c17ae9ecbdfe349f8581733b9ed2000000018c769274313227baaf87319153ba29242e7dac2a781f3a4bc7db4fca75f408d40000000b22a5d1e4e3019173693fbff43ca0f3fe55d147b66c2a3edb0055519bbaa7ea080c4318b6e8e7d950f346e1f8cb145c9574779c5abe5a52feeeb2498c2c6304d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "336536450"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 42735c406898d701	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\CBZ\DefaultIcon	ebook.tmp
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 95bfd26f6898d701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-0876022 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a74263616898d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\MOBI\DefaultIcon\ = "C:\\Program Files (x86)\\Icecream Ebook Reader\\mobi.ico"	ebook.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b9838e406898d701	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\CBR	ebook.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cbz\ = "IcecreamEbookReader\\CBZ"	ebook.tmp
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\CBZ\DefaultIcon\ = "C:\\Program Files (x86)\\Icecream Ebook Reader\\cbz.ico"	ebook_reader_setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{4DAD30F0-1BC5-4D8D-B88D-A4AEF69AF2BE} = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\CBR\DefaultIcon	ebook.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Packag = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\MOBI\shell\open\command\ = "\"C:\\Program Files (x86)\\Icecream Ebook Reader\\ebookreader.exe\" \"%1\""	ebook.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\CBR\DefaultIcon\ = "C:\\Program Files (x86)\\Icecream Ebook Reader\\cbr.ico"	ebook.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cbr	ebook.tmp
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a835fc406898d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cbz	ebook.tmp
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fb2	ebook_reader_setup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\ebook_reader_setup.exe.56njmt2.partial:Zone.Identifier	browser_broker.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4700	ebookreader.exe
1784	ebookreader.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2224	ebook.tmp
2224	ebook.tmp
2944	ebook_reader_setup.tmp
2944	ebook_reader_setup.tmp
2944	ebook_reader_setup.tmp
2944	ebook_reader_setup.tmp
2944	ebook_reader_setup.tmp
2944	ebook_reader_setup.tmp

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
772	iexplore.exe
4700	ebookreader.exe
1784	ebookreader.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2164	MicrosoftEdgeCP.exe
2164	MicrosoftEdgeCP.exe
4400	MicrosoftEdgeCP.exe
4400	MicrosoftEdgeCP.exe
4400	MicrosoftEdgeCP.exe
4400	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	MicrosoftEdge.exe
Token: SeDebugPrivilege	2496	MicrosoftEdge.exe
Token: SeDebugPrivilege	2496	MicrosoftEdge.exe
Token: SeDebugPrivilege	2496	MicrosoftEdge.exe
Token: SeDebugPrivilege	500	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	500	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	500	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	500	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2496	MicrosoftEdge.exe
Token: SeDebugPrivilege	4792	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4792	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2944	ebook_reader_setup.tmp
Token: SeDebugPrivilege	2944	ebook_reader_setup.tmp
Token: SeDebugPrivilege	2944	ebook_reader_setup.tmp
Token: SeDebugPrivilege	2944	ebook_reader_setup.tmp
Token: SeDebugPrivilege	2944	ebook_reader_setup.tmp
Token: SeDebugPrivilege	2944	ebook_reader_setup.tmp
Token: SeDebugPrivilege	2944	ebook_reader_setup.tmp
Token: SeDebugPrivilege	2944	ebook_reader_setup.tmp
Token: SeDebugPrivilege	2944	ebook_reader_setup.tmp
Token: SeDebugPrivilege	2944	ebook_reader_setup.tmp
Token: SeDebugPrivilege	2944	ebook_reader_setup.tmp
Token: SeDebugPrivilege	2944	ebook_reader_setup.tmp

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
772	iexplore.exe
772	iexplore.exe
2224	ebook.tmp
2944	ebook_reader_setup.tmp

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
772	iexplore.exe
772	iexplore.exe
2148	IEXPLORE.EXE
2148	IEXPLORE.EXE
2148	IEXPLORE.EXE
2148	IEXPLORE.EXE
772	iexplore.exe
2496	MicrosoftEdge.exe
2164	MicrosoftEdgeCP.exe
2164	MicrosoftEdgeCP.exe
4700	ebookreader.exe
4700	ebookreader.exe
4700	ebookreader.exe
5088	MicrosoftEdge.exe
4400	MicrosoftEdgeCP.exe
4400	MicrosoftEdgeCP.exe
1784	ebookreader.exe
1784	ebookreader.exe
1784	ebookreader.exe
2148	IEXPLORE.EXE
2148	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 772 wrote to memory of 2148	772	iexplore.exe	75
PID 772 wrote to memory of 2148	772	iexplore.exe	75
PID 772 wrote to memory of 2148	772	iexplore.exe	75
PID 3448 wrote to memory of 2224	3448	ebook.exe	83
PID 3448 wrote to memory of 2224	3448	ebook.exe	83
PID 3448 wrote to memory of 2224	3448	ebook.exe	83
PID 2164 wrote to memory of 500	2164	MicrosoftEdgeCP.exe	89
PID 2164 wrote to memory of 500	2164	MicrosoftEdgeCP.exe	89
PID 2164 wrote to memory of 500	2164	MicrosoftEdgeCP.exe	89
PID 2164 wrote to memory of 500	2164	MicrosoftEdgeCP.exe	89
PID 2164 wrote to memory of 500	2164	MicrosoftEdgeCP.exe	89
PID 2164 wrote to memory of 500	2164	MicrosoftEdgeCP.exe	89
PID 2164 wrote to memory of 500	2164	MicrosoftEdgeCP.exe	89
PID 2164 wrote to memory of 500	2164	MicrosoftEdgeCP.exe	89
PID 2164 wrote to memory of 500	2164	MicrosoftEdgeCP.exe	89
PID 2164 wrote to memory of 500	2164	MicrosoftEdgeCP.exe	89
PID 2164 wrote to memory of 500	2164	MicrosoftEdgeCP.exe	89
PID 2164 wrote to memory of 500	2164	MicrosoftEdgeCP.exe	89
PID 2164 wrote to memory of 500	2164	MicrosoftEdgeCP.exe	89
PID 2164 wrote to memory of 500	2164	MicrosoftEdgeCP.exe	89
PID 2164 wrote to memory of 500	2164	MicrosoftEdgeCP.exe	89
PID 2164 wrote to memory of 500	2164	MicrosoftEdgeCP.exe	89
PID 2164 wrote to memory of 500	2164	MicrosoftEdgeCP.exe	89
PID 2164 wrote to memory of 500	2164	MicrosoftEdgeCP.exe	89
PID 2224 wrote to memory of 4700	2224	ebook.tmp	91
PID 2224 wrote to memory of 4700	2224	ebook.tmp	91
PID 2224 wrote to memory of 4700	2224	ebook.tmp	91
PID 4400 wrote to memory of 2192	4400	MicrosoftEdgeCP.exe	95
PID 4400 wrote to memory of 2192	4400	MicrosoftEdgeCP.exe	95
PID 4400 wrote to memory of 2192	4400	MicrosoftEdgeCP.exe	95
PID 4400 wrote to memory of 2192	4400	MicrosoftEdgeCP.exe	95
PID 4400 wrote to memory of 2192	4400	MicrosoftEdgeCP.exe	95
PID 4400 wrote to memory of 2192	4400	MicrosoftEdgeCP.exe	95
PID 4400 wrote to memory of 2192	4400	MicrosoftEdgeCP.exe	95
PID 4400 wrote to memory of 2192	4400	MicrosoftEdgeCP.exe	95
PID 4400 wrote to memory of 2192	4400	MicrosoftEdgeCP.exe	95
PID 4400 wrote to memory of 2192	4400	MicrosoftEdgeCP.exe	95
PID 4400 wrote to memory of 2192	4400	MicrosoftEdgeCP.exe	95
PID 4400 wrote to memory of 2192	4400	MicrosoftEdgeCP.exe	95
PID 4400 wrote to memory of 2192	4400	MicrosoftEdgeCP.exe	95
PID 4400 wrote to memory of 2192	4400	MicrosoftEdgeCP.exe	95
PID 4400 wrote to memory of 2192	4400	MicrosoftEdgeCP.exe	95
PID 4400 wrote to memory of 2192	4400	MicrosoftEdgeCP.exe	95
PID 4400 wrote to memory of 2192	4400	MicrosoftEdgeCP.exe	95
PID 4400 wrote to memory of 2192	4400	MicrosoftEdgeCP.exe	95
PID 4400 wrote to memory of 2192	4400	MicrosoftEdgeCP.exe	95
PID 4400 wrote to memory of 2192	4400	MicrosoftEdgeCP.exe	95
PID 4400 wrote to memory of 2192	4400	MicrosoftEdgeCP.exe	95
PID 4400 wrote to memory of 2192	4400	MicrosoftEdgeCP.exe	95
PID 4160 wrote to memory of 2956	4160	browser_broker.exe	98
PID 4160 wrote to memory of 2956	4160	browser_broker.exe	98
PID 4160 wrote to memory of 2956	4160	browser_broker.exe	98
PID 2956 wrote to memory of 2944	2956	ebook_reader_setup.exe	99
PID 2956 wrote to memory of 2944	2956	ebook_reader_setup.exe	99
PID 2956 wrote to memory of 2944	2956	ebook_reader_setup.exe	99
PID 4400 wrote to memory of 2192	4400	MicrosoftEdgeCP.exe	95
PID 2944 wrote to memory of 1784	2944	ebook_reader_setup.tmp	103
PID 2944 wrote to memory of 1784	2944	ebook_reader_setup.tmp	103
PID 2944 wrote to memory of 1784	2944	ebook_reader_setup.tmp	103

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://alebastersbastard.com/index_files/
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:772
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:772 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2148

C:\Users\Admin\Desktop\ebook.exe
"C:\Users\Admin\Desktop\ebook.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Users\Admin\AppData\Local\Temp\is-8CBNT.tmp\ebook.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-8CBNT.tmp\ebook.tmp" /SL5="$4024C,28982256,486912,C:\Users\Admin\Desktop\ebook.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Program Files (x86)\Icecream Ebook Reader\ebookreader.exe
    "C:\Program Files (x86)\Icecream Ebook Reader\ebookreader.exe" -inst
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:4700

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2496

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4004

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:500

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5088

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\ebook_reader_setup.exe
  "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\ebook_reader_setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\is-8487C.tmp\ebook_reader_setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-8487C.tmp\ebook_reader_setup.tmp" /SL5="$30298,28983580,486912,C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\ebook_reader_setup.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Program Files (x86)\Icecream Ebook Reader\ebookreader.exe
      "C:\Program Files (x86)\Icecream Ebook Reader\ebookreader.exe" -inst
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:1784

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2192

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2976

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/772-114-0x00007FF85C980000-0x00007FF85C9EB000-memory.dmp

Filesize
428KB

Download
memory/2224-126-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2944-194-0x0000000000590000-0x000000000063E000-memory.dmp

Filesize
696KB

Download
memory/2956-193-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3448-125-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5088-188-0x000001DA29820000-0x000001DA29830000-memory.dmp

Filesize
64KB

Download