b587860551197fa81a095d121c595d08cbf8f3938f04a6d40a841b8b1a67c826

Analysis

max time kernel
99s
max time network
106s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
24-11-2022 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trigon Evo 2_XH-7z91.exe
Size

2.6MB
MD5

174444da2c90ae775cccae2ec9e938a3
SHA1

d8aa73d11f3f111ed528d8010f00cc9014169b66
SHA256

b587860551197fa81a095d121c595d08cbf8f3938f04a6d40a841b8b1a67c826
SHA512

920f2aaa1ee3c84e932e71364c340561a513264393eceadc6eda19796b0f6b9c6e2f387f23f52755d42cdc716498f21e80833b2f90cb6e39a1b882d4636b3c77
SSDEEP

49152:+qe3f6aWzD7+H98AHaCfu6DHCL+WuTmuKwEx:vSi/D7E9vBumHCK5NKXx

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Trigon Evo 2_XH-7z91.tmp

pid process

4488 Trigon Evo 2_XH-7z91.tmp

pid	process
4488	Trigon Evo 2_XH-7z91.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Trigon Evo 2_XH-7z91.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Control Panel\International\Geo\Nation	Trigon Evo 2_XH-7z91.tmp

Loads dropped DLL 3 IoCs

Processes:

Trigon Evo 2_XH-7z91.tmp

pid process

4488 Trigon Evo 2_XH-7z91.tmp
4488 Trigon Evo 2_XH-7z91.tmp
4488 Trigon Evo 2_XH-7z91.tmp

pid	process
4488	Trigon Evo 2_XH-7z91.tmp
4488	Trigon Evo 2_XH-7z91.tmp
4488	Trigon Evo 2_XH-7z91.tmp

Drops file in Windows directory 2 IoCs

Processes:

MicrosoftEdge.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Trigon Evo 2_XH-7z91.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Trigon Evo 2_XH-7z91.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	Trigon Evo 2_XH-7z91.tmp

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{D106B519-8734-41E4-AB17-31340F87160F} = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000007406709e665be9f90ae9e620199de1ac7c6b87be593c84ffb315b3d6e3a5e64ec7a14b48b9a9eee2259e0135c49ca174730d5f014777226f8d05bacbb8f501e033524d95d1b85007df10d378af64871725542e469ac27aabf3c2c6313fde6da60e3787779a28a8616760b08c5196b807d05fd33b53bf82a1ca6c6558650039739471cb46079aaf8aaeaccb3eb9d0a4f29850c4e9fb0cae01bb23a8d42afbcd8edd2064fc61ac48064d16a63f17b4df615346d9d6e64b1ad2e90790cc716fa4e71365a3c07aff9b9c89bcdce7efe09be86961717b0d1bef0fcf38090e2cfc37bf5d5e5fc63d337bc504c0b524b4f540e2b1c08c07f31b6562ead64cf8054221f5b42c5d78a7e88121ce40b8702d9422c1c885e678a1ed3ddfdd01ab329ae09bddd2ef87f4a6be4905315ee5bba25bbaecedcf67f930308fd99bd97038b6789aa77bc897daca550b15ad38f59848ec58302bbeb39abf8393c8707f63accea9c052aad57c66504e81ee2bf0f43eeae5a7b875723457f688d93678114186d7136535a7375fdc324794e18da4525b84e718a5da0a656635de60c45e86ec5fea6582232c557e6d5c85	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 0100000020e41ec46272c294a2936a3ff5cbe94be04e759a164267467ff4c3604d3946c8e95666fa093ac144badc6e33bc10396e432052184beefa7c75909d93d086cffec40ec8efb132c580a4926777816995b90dbcdaa41270424abdcc	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 51e0d6d06eaed801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = c4e2589a0100d901	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000fc9b5efeceba6dfa4e6ae966c137ab0a843b370242ecce57fba544b4d1145d1145f416c4f5d18fa9d0c421ad421ae46f18d89716ad86ed2431af	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 7 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

MicrosoftEdge.exe

description	pid	process
Token: SeDebugPrivilege	3412	MicrosoftEdge.exe
Token: SeDebugPrivilege	3412	MicrosoftEdge.exe
Token: SeDebugPrivilege	3412	MicrosoftEdge.exe
Token: SeDebugPrivilege	3412	MicrosoftEdge.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Trigon Evo 2_XH-7z91.tmp

pid process

4488 Trigon Evo 2_XH-7z91.tmp
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Trigon Evo 2_XH-7z91.tmpMicrosoftEdge.exe

pid process

4488 Trigon Evo 2_XH-7z91.tmp
3412 MicrosoftEdge.exe

pid	process
4488	Trigon Evo 2_XH-7z91.tmp

pid	process
4488	Trigon Evo 2_XH-7z91.tmp
3412	MicrosoftEdge.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Trigon Evo 2_XH-7z91.exe

description	pid	process	target process
PID 2692 wrote to memory of 4488	2692	Trigon Evo 2_XH-7z91.exe	Trigon Evo 2_XH-7z91.tmp
PID 2692 wrote to memory of 4488	2692	Trigon Evo 2_XH-7z91.exe	Trigon Evo 2_XH-7z91.tmp
PID 2692 wrote to memory of 4488	2692	Trigon Evo 2_XH-7z91.exe	Trigon Evo 2_XH-7z91.tmp

C:\Users\Admin\AppData\Local\Temp\Trigon Evo 2_XH-7z91.exe
"C:\Users\Admin\AppData\Local\Temp\Trigon Evo 2_XH-7z91.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2692

C:\Users\Admin\AppData\Local\Temp\is-PSKQR.tmp\Trigon Evo 2_XH-7z91.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PSKQR.tmp\Trigon Evo 2_XH-7z91.tmp" /SL5="$701D4,1785071,899584,C:\Users\Admin\AppData\Local\Temp\Trigon Evo 2_XH-7z91.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4488

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3412

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2240

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-PSKQR.tmp\Trigon Evo 2_XH-7z91.tmp

Filesize
3.0MB

MD5
74fad5c6cd2d3af1fa257b5e9531993a

SHA1
ab701031918456195cf9a12a8b33f9417a9f6496

SHA256
8dc40627fa4c09f7fd6df78e3ad03d7db3767010e15418dba24e63754dcbc59b

SHA512
05b107537675cfa43f3cc744c3de9164069816401af9fdb7a82dcb1a021985b97f2ecc56e3ea17151a0dee97b0af175f0883b8fb4cf5c5f7d72a5479c5557edb

Download Submit
\Users\Admin\AppData\Local\Temp\is-F0PKC.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\AppData\Local\Temp\is-F0PKC.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\AppData\Local\Temp\is-F0PKC.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
e1f18a22199c6f6aa5d87b24e5b39ef1

SHA1
0dcd8f90b575f6f1d10d6789fe769fa26daafd0e

SHA256
62c56c8cf2ac6521ce047b73aa99b6d3952ca53f11d34b00e98d17674a2fc10d

SHA512
5a10a2f096adce6e7db3a40bc3ea3fd44d602966e606706ee5a780703f211de7f77656c79c296390baee1e008dc3ce327eaaf5d78bbae20108670c5bc809a190

Download Submit
memory/2692-147-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-130-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-119-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-120-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-121-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-123-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-122-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-149-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-126-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-125-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-127-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-128-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-129-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-150-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2692-132-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-131-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-133-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-152-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-135-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-136-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-137-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-138-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-139-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-140-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-141-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-143-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-142-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-144-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-145-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-146-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-117-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-148-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-124-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-118-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-134-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-153-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-154-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2692-155-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-156-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-201-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2692-296-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4488-183-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4488-161-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4488-179-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4488-173-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4488-163-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4488-164-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4488-165-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4488-166-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4488-168-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4488-167-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4488-169-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4488-157-0x0000000000000000-mapping.dmp

Download
memory/4488-171-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4488-170-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4488-162-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4488-174-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4488-175-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4488-176-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4488-177-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4488-178-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4488-172-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4488-159-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4488-181-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4488-182-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4488-180-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4488-160-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download