b9b939533b5194e6f07816386b1301be35830be6a446bd81132faf5b66cf4b4e

Analysis

max time kernel
56s
max time network
59s
platform
windows10_x64
resource
win10-20220414-en
submitted
13-06-2022 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
Size

1.1MB
MD5

bf36e1d433dfa61e97f7d92f44f1af19
SHA1

d1b1f74bec890ae02c3d5284f0e190195cf87f20
SHA256

4e2d60184a4f38ee5d38a702b4409772b58a7bb2eba4b87830ec6df141d7f286
SHA512

88c1f2e488efdd7b04ebe0c7bab818129680e6cc1e7f4ab373f99d6691cc77a3729045f18deb01d019a21bac3e1606a878366937775a936a52dc78448b400a5d

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Control Panel\International\Geo\Nation	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 010000002ede2979383c374e200e2b767bd4ab3756cd047bccfe973d5d1674a3abcbce2eb7b7e1c4a3cf6fcdf8f3e0b94243896e3521d6fac1221dc9d74a7c72b64ebfbd4ace343c0bac0abda6fed3a28e0b135b348b5efcd834f474df57	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompleted = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000394dd63d19dbd11a636d2bff52022ad4c95f3cb35df34a0fae34fe94b27c3765a080c203e2e0ec202d7cbb2b10133fd6f466e36fe23687fce433	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000580d3926bad60edd16c734de0d13fdbd98d96538ed8196f1f794b3abaf377f6f5bbb132455edfc42a922ab3ab01e62f8d75500a8532d2c1449332283647c256fdf8de2cc6d9533a9e3cbb2e39b43dd760187b7a50eb98e0f372fde95f3a9c577f2a561f6f66d0d46ebe1da0bc5211c1a748d171867c6db918ea77dba1960d86a782275ce5b175319b2848fe1ad584a74bc88e8e48ff446187fbdd4e6e63f721d412431bf4d32f43cc1d4abbca38831ad3799603ff2e35f0aad8fbee0ade75c3f3fcb01a3865db149f5f14aa91b5114f90ddea642993314e60b3fd1be60f995e2e1365b4a113ae6c788fb305f20536ea1d57819e00785b878aeeb5f38b913b68498876a4efb6730b3d212fb90392e9797ac87c31b1577902819b56ac756d7e6ae4edd9a36ca86470ebd5678715682ac9f492c3e9624aa7d52dfbb5296eae3b4221758eaee76364c8091e7a8cc7cef88020f85786c2bbeccaf341f2d4382d8fb9cd6174387bc16110da7e573ef7e1578d9d1b3ca61c2538ad5bcff0f6f2b57781dcb3cf14deec8e6d59170e75e909375ddfed6d75ec109aebd120e5548f3c76effb0904f15708f	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 6aa8dc891250d801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = eafd5dce747fd801	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Packa = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 6aa8dc891250d801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 1bbe16ce747fd801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedWidth = "800"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1492	Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
Token: SeDebugPrivilege	1944	MicrosoftEdge.exe
Token: SeDebugPrivilege	1944	MicrosoftEdge.exe
Token: SeDebugPrivilege	1944	MicrosoftEdge.exe
Token: SeDebugPrivilege	1944	MicrosoftEdge.exe
Token: SeDebugPrivilege	716	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	716	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	716	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	716	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1944	MicrosoftEdge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1944	MicrosoftEdge.exe
200	MicrosoftEdgeCP.exe
200	MicrosoftEdgeCP.exe

C:\Users\Admin\AppData\Local\Temp\Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe
"C:\Users\Admin\AppData\Local\Temp\Death Stranding Directors Cut v1.0 Plus 26 Trainer.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1944

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4056

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:200

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1492-119-0x000001EC24290000-0x000001EC242C2000-memory.dmp

Filesize
200KB

Download
memory/1492-120-0x000001EC3C7FA000-0x000001EC3C7FF000-memory.dmp

Filesize
20KB

Download
memory/1492-123-0x000001EC3C7FA000-0x000001EC3C7FF000-memory.dmp

Filesize
20KB

Download
memory/1492-125-0x000001EC3C7FA000-0x000001EC3C7FF000-memory.dmp

Filesize
20KB

Download
memory/1944-121-0x000002C17FE20000-0x000002C17FE30000-memory.dmp

Filesize
64KB

Download
memory/1944-122-0x000002C100000000-0x000002C100010000-memory.dmp

Filesize
64KB

Download