42ffdf8098897e4c6eb30bd3b66696d20353fdf882eb2aab7575d17af049471c

Analysis

max time kernel
104s
max time network
87s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
16/02/2023, 21:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

EveryonePiano2.1.5.29_setup.exe
Size

5.5MB
MD5

aada3e22e8a48bf5a69e8bb31dcf9553
SHA1

5cb5330b66aeea600b055a57e51fdf1de01edac1
SHA256

42ffdf8098897e4c6eb30bd3b66696d20353fdf882eb2aab7575d17af049471c
SHA512

229e3b7b2f3355574289b1aa71279648fb8a56a0b370efa21ee91ea2bb23ce0125a5856efd63b40719f619b7615b29ee99c21f522c5e78f81904b7ee2efdee85
SSDEEP

98304:iutulTWTfATE1eLCNc8V/cgCzaqp0HZd4iEXxnETN827MvrqQBKUEyE779s2pqQ:bEWT3suNRGUqeHLwxnET2bzqcE7Js2ph

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1600	EveryonePiano2.1.5.29_setup.tmp
616	EveryonePiano.exe

Loads dropped DLL 8 IoCs

pid	Process
1808	EveryonePiano2.1.5.29_setup.exe
1600	EveryonePiano2.1.5.29_setup.tmp
1600	EveryonePiano2.1.5.29_setup.tmp
1600	EveryonePiano2.1.5.29_setup.tmp
1600	EveryonePiano2.1.5.29_setup.tmp
1600	EveryonePiano2.1.5.29_setup.tmp
1600	EveryonePiano2.1.5.29_setup.tmp
616	EveryonePiano.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin1\is-09GIQ.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin1\is-CBCK1.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin3\is-0IA39.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Language\is-5JH9N.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin2\is-DI5I2.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Music\is-N33LO.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin2\is-BDVRG.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin2\is-R76MQ.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin2\is-4Q7AB.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin3\is-UB2K6.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin3\is-86TE2.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin2\is-0UI3E.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\EOPUpdate.ini	EveryonePiano.exe
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin1\is-CRBLA.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin1\is-MB4QB.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin1\is-R98K8.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin3\is-8MOSG.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Music\is-OP8RL.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Music\is-KQ3HF.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Music\is-F90H7.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Music\is-6D9N1.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin3\is-PKCJ4.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin2\is-UA2JE.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin2\is-HV4PA.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin3\is-RELFE.tmp	EveryonePiano2.1.5.29_setup.tmp
File opened for modification	C:\Program Files (x86)\EveryonePiano\unins000.dat	EveryonePiano2.1.5.29_setup.tmp
File opened for modification	C:\Program Files (x86)\EveryonePiano\Onekey\0002.ini	EveryonePiano.exe
File created	C:\Program Files (x86)\EveryonePiano\Music\is-58UP3.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin1\is-LO938.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin3\is-AUKO0.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin3\is-UGFRL.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Music\is-40VT5.tmp	EveryonePiano2.1.5.29_setup.tmp
File opened for modification	C:\Program Files (x86)\EveryonePiano\Onekey\0001.ini	EveryonePiano.exe
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin1\is-2OOET.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin3\is-A0K92.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin3\is-C1FE6.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin3\is-6P091.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin3\is-MKORV.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Language\is-JCEK9.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin1\is-G9T7N.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin3\is-0EPGH.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Plugin\Network\is-IDD1I.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin1\is-B9CGU.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin3\is-C875M.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Music\is-QTQU1.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin1\is-U3PKE.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin1\is-C8OHC.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin1\is-1PIR8.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin1\is-A3200.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin1\is-GEOV0.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin1\is-UMJGR.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin1\is-HGRM2.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin1\is-DGHCV.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Music\is-LQQOV.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\is-7CTGU.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin2\is-P7PRS.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin2\is-Q94RV.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin1\is-F1TH9.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin1\is-K4UDA.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin2\is-2T9HU.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin3\is-T318R.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Music\is-0EDNV.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\is-5LB18.tmp	EveryonePiano2.1.5.29_setup.tmp
File created	C:\Program Files (x86)\EveryonePiano\Skin\Skin3\is-NO99Q.tmp	EveryonePiano2.1.5.29_setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.eop	EveryonePiano2.1.5.29_setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.eop\ = "eop_auto_file"	EveryonePiano2.1.5.29_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eop_auto_file\shell\open\command	EveryonePiano2.1.5.29_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eop_auto_file	EveryonePiano2.1.5.29_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eop_auto_file\shell	EveryonePiano2.1.5.29_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eop_auto_file\shell\open	EveryonePiano2.1.5.29_setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\eop_auto_file\shell\open\command\ = "C:\\Program Files (x86)\\EveryonePiano\\EveryonePiano.exe %1"	EveryonePiano2.1.5.29_setup.tmp

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	EveryonePiano.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	EveryonePiano.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	EveryonePiano.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	EveryonePiano.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	EveryonePiano.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	588	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	588	AUDIODG.EXE
Token: 33	588	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	588	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
616	EveryonePiano.exe
616	EveryonePiano.exe
616	EveryonePiano.exe
616	EveryonePiano.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
616	EveryonePiano.exe
616	EveryonePiano.exe
616	EveryonePiano.exe
616	EveryonePiano.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
616	EveryonePiano.exe
616	EveryonePiano.exe
616	EveryonePiano.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 1600	1808	EveryonePiano2.1.5.29_setup.exe	28
PID 1808 wrote to memory of 1600	1808	EveryonePiano2.1.5.29_setup.exe	28
PID 1808 wrote to memory of 1600	1808	EveryonePiano2.1.5.29_setup.exe	28
PID 1808 wrote to memory of 1600	1808	EveryonePiano2.1.5.29_setup.exe	28
PID 1808 wrote to memory of 1600	1808	EveryonePiano2.1.5.29_setup.exe	28
PID 1808 wrote to memory of 1600	1808	EveryonePiano2.1.5.29_setup.exe	28
PID 1808 wrote to memory of 1600	1808	EveryonePiano2.1.5.29_setup.exe	28
PID 1600 wrote to memory of 616	1600	EveryonePiano2.1.5.29_setup.tmp	30
PID 1600 wrote to memory of 616	1600	EveryonePiano2.1.5.29_setup.tmp	30
PID 1600 wrote to memory of 616	1600	EveryonePiano2.1.5.29_setup.tmp	30
PID 1600 wrote to memory of 616	1600	EveryonePiano2.1.5.29_setup.tmp	30

C:\Users\Admin\AppData\Local\Temp\EveryonePiano2.1.5.29_setup.exe
"C:\Users\Admin\AppData\Local\Temp\EveryonePiano2.1.5.29_setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Temp\is-KT2IN.tmp\EveryonePiano2.1.5.29_setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-KT2IN.tmp\EveryonePiano2.1.5.29_setup.tmp" /SL5="$80122,5416816,66048,C:\Users\Admin\AppData\Local\Temp\EveryonePiano2.1.5.29_setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Program Files (x86)\EveryonePiano\EveryonePiano.exe
    "C:\Program Files (x86)\EveryonePiano\EveryonePiano.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Modifies system certificate store
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:616

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x54c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\EveryonePiano\EveryonePiano.exe

Filesize
5.0MB

MD5
81fcbc4a1f722d92162184c492c32ca0

SHA1
c54ca14dafd2d3ad9eed67bb39891c07ddddb2e8

SHA256
f22c5c98d3e29c90ec21305b5ddaedd8cca8dc0a73d181d4c59082bb2a694182

SHA512
6c22464a05fcff5dc05b31a02792638ae7c13bc92fcc09764cb69ad7282782e1fe98a80527fbcbd9cb662f6a5bb17c8469bd74905f83a25c3afca808c96d5149

Download Submit
C:\Program Files (x86)\EveryonePiano\EveryonePiano.exe

Filesize
5.0MB

MD5
81fcbc4a1f722d92162184c492c32ca0

SHA1
c54ca14dafd2d3ad9eed67bb39891c07ddddb2e8

SHA256
f22c5c98d3e29c90ec21305b5ddaedd8cca8dc0a73d181d4c59082bb2a694182

SHA512
6c22464a05fcff5dc05b31a02792638ae7c13bc92fcc09764cb69ad7282782e1fe98a80527fbcbd9cb662f6a5bb17c8469bd74905f83a25c3afca808c96d5149

Download Submit
C:\Program Files (x86)\EveryonePiano\Language\English.ini

Filesize
28KB

MD5
c9fdb2f9957210bab2d02e15b7cd7b00

SHA1
515673cf4008f8e65b7fc70e8504d93098b70958

SHA256
cef63618274fb3e2010f841f7ded1e30bf5890d6162947ed675b5dcff5bbd140

SHA512
7faf11fdcd5e08aee992abe3fc000b176bbd7f54957e07e2b3a994acd7576198d237b800bbd118ece0bd73d06a11116e0d3747ad2d6eff866d200de2c214fcc3

Download Submit
C:\Program Files (x86)\EveryonePiano\vsti\mdaPiano.dll

Filesize
1.5MB

MD5
8a4a66a96e48489b261e91d649f2bc8c

SHA1
26b0c824b0b8c710fad8e59fe781bd8499ae62b9

SHA256
821d73a1629721d2d20b0d3a497b70da24cad6c94553be9cbe18db7eaa93c670

SHA512
f9fed348f207377755520d7a121ec1240289aa611de31855474a1332ab432ca8d3ca00403614ae24d57390d3de24c3aaaa4e46cefbfc1c5d91730ce95ff5c3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KT2IN.tmp\EveryonePiano2.1.5.29_setup.tmp

Filesize
681KB

MD5
5ca8ae960cca54b8c2ce478bf4e63db8

SHA1
8409d79a25839e1c1074669885a34c48772f604f

SHA256
efd44c917d341cf22639bf880b3cb6e3f416cf7b2e98464123e45e97bbeb7ae4

SHA512
3fdd2dcabaef9cd625566ae540f2ecd3b13f8a90767c076450c875b7d757365f530bed06d152cd6ee5434d3b0ec198e3976c85f8f8bd4751a99c4f3a561cd117

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KT2IN.tmp\EveryonePiano2.1.5.29_setup.tmp

Filesize
681KB

MD5
5ca8ae960cca54b8c2ce478bf4e63db8

SHA1
8409d79a25839e1c1074669885a34c48772f604f

SHA256
efd44c917d341cf22639bf880b3cb6e3f416cf7b2e98464123e45e97bbeb7ae4

SHA512
3fdd2dcabaef9cd625566ae540f2ecd3b13f8a90767c076450c875b7d757365f530bed06d152cd6ee5434d3b0ec198e3976c85f8f8bd4751a99c4f3a561cd117

Download Submit
\Program Files (x86)\EveryonePiano\EveryonePiano.exe

Filesize
5.0MB

MD5
81fcbc4a1f722d92162184c492c32ca0

SHA1
c54ca14dafd2d3ad9eed67bb39891c07ddddb2e8

SHA256
f22c5c98d3e29c90ec21305b5ddaedd8cca8dc0a73d181d4c59082bb2a694182

SHA512
6c22464a05fcff5dc05b31a02792638ae7c13bc92fcc09764cb69ad7282782e1fe98a80527fbcbd9cb662f6a5bb17c8469bd74905f83a25c3afca808c96d5149

Download Submit
\Program Files (x86)\EveryonePiano\EveryonePiano.exe

Filesize
5.0MB

MD5
81fcbc4a1f722d92162184c492c32ca0

SHA1
c54ca14dafd2d3ad9eed67bb39891c07ddddb2e8

SHA256
f22c5c98d3e29c90ec21305b5ddaedd8cca8dc0a73d181d4c59082bb2a694182

SHA512
6c22464a05fcff5dc05b31a02792638ae7c13bc92fcc09764cb69ad7282782e1fe98a80527fbcbd9cb662f6a5bb17c8469bd74905f83a25c3afca808c96d5149

Download Submit
\Program Files (x86)\EveryonePiano\EveryonePiano.exe

Filesize
5.0MB

MD5
81fcbc4a1f722d92162184c492c32ca0

SHA1
c54ca14dafd2d3ad9eed67bb39891c07ddddb2e8

SHA256
f22c5c98d3e29c90ec21305b5ddaedd8cca8dc0a73d181d4c59082bb2a694182

SHA512
6c22464a05fcff5dc05b31a02792638ae7c13bc92fcc09764cb69ad7282782e1fe98a80527fbcbd9cb662f6a5bb17c8469bd74905f83a25c3afca808c96d5149

Download Submit
\Program Files (x86)\EveryonePiano\unins000.exe

Filesize
691KB

MD5
142d32116f6f4959d854d97d5e150a0b

SHA1
875a48a1d3c78428dcd7a5026da6f1d7cd94cd8e

SHA256
c8d0179f32c813c7de7ab9a27aff65a5fc3ba08cc362173f3b41101ed3389f6c

SHA512
952cae14db0fdf47cb7a6b45023a7a3b543353110dd37206ef3d28e48ba6282d582c12fb09767be76d6460eda1f867c93fc0c33aedaf8d97f998720101b3edbe

Download Submit
\Program Files (x86)\EveryonePiano\vsti\mdaPiano.dll

Filesize
1.5MB

MD5
8a4a66a96e48489b261e91d649f2bc8c

SHA1
26b0c824b0b8c710fad8e59fe781bd8499ae62b9

SHA256
821d73a1629721d2d20b0d3a497b70da24cad6c94553be9cbe18db7eaa93c670

SHA512
f9fed348f207377755520d7a121ec1240289aa611de31855474a1332ab432ca8d3ca00403614ae24d57390d3de24c3aaaa4e46cefbfc1c5d91730ce95ff5c3dc

Download Submit
\Users\Admin\AppData\Local\Temp\is-4106I.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-4106I.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-KT2IN.tmp\EveryonePiano2.1.5.29_setup.tmp

Filesize
681KB

MD5
5ca8ae960cca54b8c2ce478bf4e63db8

SHA1
8409d79a25839e1c1074669885a34c48772f604f

SHA256
efd44c917d341cf22639bf880b3cb6e3f416cf7b2e98464123e45e97bbeb7ae4

SHA512
3fdd2dcabaef9cd625566ae540f2ecd3b13f8a90767c076450c875b7d757365f530bed06d152cd6ee5434d3b0ec198e3976c85f8f8bd4751a99c4f3a561cd117

Download Submit
memory/1808-54-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download
memory/1808-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1808-71-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1808-55-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download