c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in System32 directory 59 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\taobao.url	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File opened for modification	C:\Windows\SysWOW64\免费电影.lnk	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File created	C:\Windows\SysWOW64\kuaijie.bat	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File opened for modification	C:\Windows\SysWOW64\mm.ico	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File created	C:\Windows\SysWOW64\systemok.vbs	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File created	C:\Windows\SysWOW64\腾讯QQ.lnk	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File opened for modification	C:\Windows\SysWOW64\yx.lnk	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File opened for modification	C:\Windows\SysWOW64\Internet Exporer.lnk	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File created	C:\Windows\SysWOW64\sy.reg	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File created	C:\Windows\SysWOW64\taobao.ico	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File created	C:\Windows\SysWOW64\taobao.lnk	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File created	C:\Windows\SysWOW64\ico.ico	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File opened for modification	C:\Windows\SysWOW64\qq.ico	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File created	C:\Windows\SysWOW64\zq.ico	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File created	C:\Windows\SysWOW64\FilmTVkk.ico	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File created	C:\Windows\SysWOW64\激情爽片.lnk	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File created	C:\Windows\SysWOW64\免费电影.lnk	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File opened for modification	C:\Windows\SysWOW64\taobao.lnk	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File created	C:\Windows\SysWOW64\hosok.bat	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File created	C:\Windows\SysWOW64\Internet Explorer.lnk	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File opened for modification	C:\Windows\SysWOW64\systemok.vbs	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File opened for modification	C:\Windows\SysWOW64\yx.url	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_240561578	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File opened for modification	C:\Windows\SysWOW64\systemkj.vbs	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File created	C:\Windows\SysWOW64\淘宝购物.lnk	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File created	C:\Windows\SysWOW64\yx.ico	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File opened for modification	C:\Windows\SysWOW64\腾讯QQ.lnk	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File created	C:\Windows\SysWOW64\yx.lnk	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File opened for modification	C:\Windows\SysWOW64\zq.url	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File created	C:\Windows\SysWOW64\qq.ico	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File created	C:\Windows\SysWOW64\sp.url	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File created	C:\Windows\SysWOW64\ss.reg	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File opened for modification	C:\Windows\SysWOW64\zq.ico	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File created	C:\Windows\SysWOW64\createcs.vbs	cmd.exe
File opened for modification	C:\Windows\SysWOW64\kuaijie.bat	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File created	C:\Windows\SysWOW64\systemkj.vbs	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File opened for modification	C:\Windows\SysWOW64\激情爽片.lnk	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File opened for modification	C:\Windows\SysWOW64\hosok.bat	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File opened for modification	C:\Windows\SysWOW64\ico.ico	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File opened for modification	C:\Windows\SysWOW64\ss.reg	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File opened for modification	C:\Windows\SysWOW64\sy.reg	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File created	C:\Windows\SysWOW64\yx.url	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File opened for modification	C:\Windows\SysWOW64\createcs.vbs	cmd.exe
File created	C:\Windows\SysWOW64\FilmTVkk.lnk	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File created	C:\Windows\SysWOW64\zq.lnk	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File created	C:\Windows\SysWOW64\zq.url	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File opened for modification	C:\Windows\SysWOW64\filmtvdy.exe.exe	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File opened for modification	C:\Windows\SysWOW64\FilmTVkk.lnk	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File created	C:\Windows\SysWOW64\Internet Exporer.lnk	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File created	C:\Windows\SysWOW64\filmtvdy.exe.exe	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File opened for modification	C:\Windows\SysWOW64\Internet Explorer.lnk	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File opened for modification	C:\Windows\SysWOW64\yx.ico	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File opened for modification	C:\Windows\SysWOW64\淘宝购物.lnk	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File opened for modification	C:\Windows\SysWOW64\FilmTVkk.ico	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File opened for modification	C:\Windows\SysWOW64\sp.url	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File opened for modification	C:\Windows\SysWOW64\zq.lnk	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File created	C:\Windows\SysWOW64\mm.ico	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File opened for modification	C:\Windows\SysWOW64\taobao.ico	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
File opened for modification	C:\Windows\SysWOW64\taobao.url	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3b04fc1b-c76d-4307-bab7-e8cef5ccab97.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221206180337.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\7832.com	filmtvdy.exe.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	filmtvdy.exe.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\vod.7832.com	filmtvdy.exe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\7832.com\Total = "63"	filmtvdy.exe.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	filmtvdy.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	filmtvdy.exe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	filmtvdy.exe.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	filmtvdy.exe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	filmtvdy.exe.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	filmtvdy.exe.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\7832.com	filmtvdy.exe.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\GPU	filmtvdy.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"6.2.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	filmtvdy.exe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\vod.7832.com\ = "63"	filmtvdy.exe.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\7832.com\NumberOfSubdomains = "1"	filmtvdy.exe.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.vvyy.net/"	regedit.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Runs .reg file with regedit 1 IoCs

pid	Process
5056	regedit.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4384	msedge.exe
4384	msedge.exe
3272	msedge.exe
3272	msedge.exe
3132	identity_helper.exe
3132	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1788	filmtvdy.exe.exe
1788	filmtvdy.exe.exe
1788	filmtvdy.exe.exe
1788	filmtvdy.exe.exe
1788	filmtvdy.exe.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1788	filmtvdy.exe.exe
1788	filmtvdy.exe.exe
1788	filmtvdy.exe.exe
1788	filmtvdy.exe.exe
1788	filmtvdy.exe.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1788	filmtvdy.exe.exe
1788	filmtvdy.exe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 712	544	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe	77
PID 544 wrote to memory of 712	544	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe	77
PID 544 wrote to memory of 712	544	c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe	77
PID 712 wrote to memory of 1532	712	WScript.exe	78
PID 712 wrote to memory of 1532	712	WScript.exe	78
PID 712 wrote to memory of 1532	712	WScript.exe	78
PID 1532 wrote to memory of 2704	1532	cmd.exe	80
PID 1532 wrote to memory of 2704	1532	cmd.exe	80
PID 1532 wrote to memory of 2704	1532	cmd.exe	80
PID 1532 wrote to memory of 392	1532	cmd.exe	81
PID 1532 wrote to memory of 392	1532	cmd.exe	81
PID 1532 wrote to memory of 392	1532	cmd.exe	81
PID 1532 wrote to memory of 3132	1532	cmd.exe	82
PID 1532 wrote to memory of 3132	1532	cmd.exe	82
PID 1532 wrote to memory of 3132	1532	cmd.exe	82
PID 3132 wrote to memory of 3040	3132	rundll32.exe	83
PID 3132 wrote to memory of 3040	3132	rundll32.exe	83
PID 3132 wrote to memory of 3040	3132	rundll32.exe	83
PID 3040 wrote to memory of 808	3040	runonce.exe	84
PID 3040 wrote to memory of 808	3040	runonce.exe	84
PID 3040 wrote to memory of 808	3040	runonce.exe	84
PID 1532 wrote to memory of 740	1532	cmd.exe	86
PID 1532 wrote to memory of 740	1532	cmd.exe	86
PID 1532 wrote to memory of 740	1532	cmd.exe	86
PID 1532 wrote to memory of 5056	1532	cmd.exe	87
PID 1532 wrote to memory of 5056	1532	cmd.exe	87
PID 1532 wrote to memory of 5056	1532	cmd.exe	87
PID 1532 wrote to memory of 3272	1532	cmd.exe	88
PID 1532 wrote to memory of 3272	1532	cmd.exe	88
PID 1532 wrote to memory of 1788	1532	cmd.exe	90
PID 1532 wrote to memory of 1788	1532	cmd.exe	90
PID 1532 wrote to memory of 1788	1532	cmd.exe	90
PID 1532 wrote to memory of 3280	1532	cmd.exe	91
PID 1532 wrote to memory of 3280	1532	cmd.exe	91
PID 1532 wrote to memory of 3280	1532	cmd.exe	91
PID 1532 wrote to memory of 444	1532	cmd.exe	93
PID 1532 wrote to memory of 444	1532	cmd.exe	93
PID 1532 wrote to memory of 444	1532	cmd.exe	93
PID 3272 wrote to memory of 2180	3272	msedge.exe	95
PID 3272 wrote to memory of 2180	3272	msedge.exe	95
PID 3272 wrote to memory of 3976	3272	msedge.exe	98
PID 3272 wrote to memory of 3976	3272	msedge.exe	98
PID 3272 wrote to memory of 3976	3272	msedge.exe	98
PID 3272 wrote to memory of 3976	3272	msedge.exe	98
PID 3272 wrote to memory of 3976	3272	msedge.exe	98
PID 3272 wrote to memory of 3976	3272	msedge.exe	98
PID 3272 wrote to memory of 3976	3272	msedge.exe	98
PID 3272 wrote to memory of 3976	3272	msedge.exe	98
PID 3272 wrote to memory of 3976	3272	msedge.exe	98
PID 3272 wrote to memory of 3976	3272	msedge.exe	98
PID 3272 wrote to memory of 3976	3272	msedge.exe	98
PID 3272 wrote to memory of 3976	3272	msedge.exe	98
PID 3272 wrote to memory of 3976	3272	msedge.exe	98
PID 3272 wrote to memory of 3976	3272	msedge.exe	98
PID 3272 wrote to memory of 3976	3272	msedge.exe	98
PID 3272 wrote to memory of 3976	3272	msedge.exe	98
PID 3272 wrote to memory of 3976	3272	msedge.exe	98
PID 3272 wrote to memory of 3976	3272	msedge.exe	98
PID 3272 wrote to memory of 3976	3272	msedge.exe	98
PID 3272 wrote to memory of 3976	3272	msedge.exe	98
PID 3272 wrote to memory of 3976	3272	msedge.exe	98
PID 3272 wrote to memory of 3976	3272	msedge.exe	98
PID 3272 wrote to memory of 3976	3272	msedge.exe	98
PID 3272 wrote to memory of 3976	3272	msedge.exe	98

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3280	attrib.exe
444	attrib.exe

C:\Users\Admin\AppData\Local\Temp\c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
"C:\Users\Admin\AppData\Local\Temp\c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:544
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\system32\systemok.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\WINDOWS\system32\hosok.bat" "
    3⤵
    - Checks computer location settings
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\SysWOW64\reg.exe
      Reg Add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /t "REG_DWORD" /d "1" /f
      4⤵
      PID:2704
  - - C:\Windows\SysWOW64\reg.exe
      Reg Add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /t "REG_DWORD" /d "1" /f
      4⤵
      PID:392
  - - C:\Windows\SysWOW64\rundll32.exe
      RUNDLL32 SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\TmpInf.inf
      4⤵
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3132
    - - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        5⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:3040
      - C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        6⤵
        
        PID:808
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\system32\createcs.vbs"
      4⤵
      PID:740
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s sy.reg
      4⤵
      Modifies Internet Explorer settings
      Modifies Internet Explorer start page
      Runs .reg file with regedit
      PID:5056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.vvyy.net/?v2
      4⤵
      Adds Run key to start application
      Enumerates system info in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3272
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa068746f8,0x7ffa06874708,0x7ffa06874718
        5⤵
        
        PID:2180
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,9318723481124291410,11298538962139791574,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
        5⤵
        
        PID:3976
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,9318723481124291410,11298538962139791574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4384
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,9318723481124291410,11298538962139791574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
        5⤵
        
        PID:4540
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9318723481124291410,11298538962139791574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
        5⤵
        
        PID:772
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9318723481124291410,11298538962139791574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
        5⤵
        
        PID:4952
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,9318723481124291410,11298538962139791574,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4948 /prefetch:8
        5⤵
        
        PID:2680
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9318723481124291410,11298538962139791574,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
        5⤵
        
        PID:2392
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9318723481124291410,11298538962139791574,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
        5⤵
        
        PID:3444
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,9318723481124291410,11298538962139791574,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5232 /prefetch:8
        5⤵
        
        PID:3452
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9318723481124291410,11298538962139791574,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
        5⤵
        
        PID:2184
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9318723481124291410,11298538962139791574,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
        5⤵
        
        PID:3836
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,9318723481124291410,11298538962139791574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8
        5⤵
        
        PID:372
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
        5⤵
        Drops file in Program Files directory
        
        PID:4080
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7305b5460,0x7ff7305b5470,0x7ff7305b5480
        6⤵
        
        PID:1068
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,9318723481124291410,11298538962139791574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3132
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9318723481124291410,11298538962139791574,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
        5⤵
        
        PID:4852
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9318723481124291410,11298538962139791574,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:1
        5⤵
        
        PID:4768
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9318723481124291410,11298538962139791574,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
        5⤵
        
        PID:2096
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,9318723481124291410,11298538962139791574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4604 /prefetch:8
        5⤵
        
        PID:4580
  - - C:\Windows\SysWOW64\filmtvdy.exe.exe
      filmtvdy.exe.exe
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:1788
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\╫└├µ\*.lnk" +R +S
      4⤵
      Views/modifies file attributes
      PID:3280
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*.lnk" +R +S
      4⤵
      Views/modifies file attributes
      PID:444

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery