b676f76e4b153c81ed79d631be828c73dc7c8718b347efca4d6cd3dd6ae44724

Analysis

max time kernel
480s
max time network
438s
platform
windows10-1703_x64
resource
win10-20240214-en
resource tags

arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system
submitted
19-02-2024 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hip.rar
Size

4.2MB
MD5

b19e41525b47b6112887362b06a9d5e6
SHA1

ad6e5a5dd823c1960216f2752a58ce5a299d7d86
SHA256

b676f76e4b153c81ed79d631be828c73dc7c8718b347efca4d6cd3dd6ae44724
SHA512

b8f4ccb3e0fb040935a3998a1bb401343471dab269c485a277c7720829b54dd157c8d0dbaaccd3c8ccc55b80127f0511fbd2c23a6e522ce92c8cbcde69a890da
SSDEEP

98304:P6a7EzHsCVDUl8YYVnkNjYa56O2qcNDVA7vBYn1sOsUS5Wz/XJnb7:P+zoOfkp56O25NDVALBYn1sOsUS4fB

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	loader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	celexware! (1).exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	loader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	loader.exe

Downloads MZ/PE file

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv"	celexware! (1).exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	celexware! (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	celexware! (1).exe

Executes dropped EXE 5 IoCs

pid	Process
5112	login.exe
812	loader.exe
64	celexware! (1).exe
3092	loader.exe
5832	loader.exe

Themida packer 42 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000600000001abdc-8.dat	themida
behavioral1/files/0x000600000001abdc-9.dat	themida
behavioral1/memory/812-10-0x00007FF635840000-0x00007FF6362DF000-memory.dmp	themida
behavioral1/memory/812-12-0x00007FF635840000-0x00007FF6362DF000-memory.dmp	themida
behavioral1/memory/812-13-0x00007FF635840000-0x00007FF6362DF000-memory.dmp	themida
behavioral1/memory/812-14-0x00007FF635840000-0x00007FF6362DF000-memory.dmp	themida
behavioral1/memory/812-15-0x00007FF635840000-0x00007FF6362DF000-memory.dmp	themida
behavioral1/memory/812-16-0x00007FF635840000-0x00007FF6362DF000-memory.dmp	themida
behavioral1/memory/812-17-0x00007FF635840000-0x00007FF6362DF000-memory.dmp	themida
behavioral1/memory/812-18-0x00007FF635840000-0x00007FF6362DF000-memory.dmp	themida
behavioral1/memory/812-19-0x00007FF635840000-0x00007FF6362DF000-memory.dmp	themida
behavioral1/memory/812-31-0x00007FF635840000-0x00007FF6362DF000-memory.dmp	themida
behavioral1/files/0x000600000001abea-37.dat	themida
behavioral1/memory/64-39-0x00007FF674B00000-0x00007FF6755A2000-memory.dmp	themida
behavioral1/memory/64-41-0x00007FF674B00000-0x00007FF6755A2000-memory.dmp	themida
behavioral1/memory/64-42-0x00007FF674B00000-0x00007FF6755A2000-memory.dmp	themida
behavioral1/memory/64-43-0x00007FF674B00000-0x00007FF6755A2000-memory.dmp	themida
behavioral1/memory/64-44-0x00007FF674B00000-0x00007FF6755A2000-memory.dmp	themida
behavioral1/memory/64-45-0x00007FF674B00000-0x00007FF6755A2000-memory.dmp	themida
behavioral1/memory/64-46-0x00007FF674B00000-0x00007FF6755A2000-memory.dmp	themida
behavioral1/memory/64-47-0x00007FF674B00000-0x00007FF6755A2000-memory.dmp	themida
behavioral1/memory/64-55-0x00007FF674B00000-0x00007FF6755A2000-memory.dmp	themida
behavioral1/memory/812-58-0x00007FF635840000-0x00007FF6362DF000-memory.dmp	themida
behavioral1/memory/64-66-0x00007FF674B00000-0x00007FF6755A2000-memory.dmp	themida
behavioral1/files/0x000600000001abdc-71.dat	themida
behavioral1/memory/3092-72-0x00007FF635840000-0x00007FF6362DF000-memory.dmp	themida
behavioral1/memory/3092-74-0x00007FF635840000-0x00007FF6362DF000-memory.dmp	themida
behavioral1/memory/3092-75-0x00007FF635840000-0x00007FF6362DF000-memory.dmp	themida
behavioral1/memory/3092-76-0x00007FF635840000-0x00007FF6362DF000-memory.dmp	themida
behavioral1/memory/3092-78-0x00007FF635840000-0x00007FF6362DF000-memory.dmp	themida
behavioral1/memory/3092-79-0x00007FF635840000-0x00007FF6362DF000-memory.dmp	themida
behavioral1/memory/3092-80-0x00007FF635840000-0x00007FF6362DF000-memory.dmp	themida
behavioral1/memory/3092-81-0x00007FF635840000-0x00007FF6362DF000-memory.dmp	themida
behavioral1/memory/3092-84-0x00007FF635840000-0x00007FF6362DF000-memory.dmp	themida
behavioral1/memory/3092-87-0x00007FF635840000-0x00007FF6362DF000-memory.dmp	themida
behavioral1/memory/3092-90-0x00007FF635840000-0x00007FF6362DF000-memory.dmp	themida
behavioral1/memory/3092-91-0x00007FF635840000-0x00007FF6362DF000-memory.dmp	themida
behavioral1/memory/3092-95-0x00007FF635840000-0x00007FF6362DF000-memory.dmp	themida
behavioral1/memory/3092-98-0x00007FF635840000-0x00007FF6362DF000-memory.dmp	themida
behavioral1/memory/3092-104-0x00007FF635840000-0x00007FF6362DF000-memory.dmp	themida
behavioral1/memory/64-117-0x00007FF674B00000-0x00007FF6755A2000-memory.dmp	themida
behavioral1/memory/5832-355-0x00007FF635840000-0x00007FF6362DF000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	loader.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	celexware! (1).exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	loader.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	loader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
812	loader.exe
64	celexware! (1).exe
3092	loader.exe
5832	loader.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	taskmgr.exe
File created	C:\Windows\INF\netrasa.PNF	svchost.exe
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\INF\netsstpa.PNF	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\text_auto_file\shell\open	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\text_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\text_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\text_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ee3041d78e63da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\text_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\.text	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{E87F0F0A-D8B1-45EE-A8C5-770075748168} = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 3d5a29d78e63da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529921725-1823547078-1350365960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1"	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1576	7zFM.exe
1576	7zFM.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
1576	7zFM.exe
812	loader.exe
3092	loader.exe
1116	taskmgr.exe
5832	loader.exe

Suspicious behavior: LoadsDriver 7 IoCs

pid	Process
64	celexware! (1).exe
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
600	Process not Found

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
5004	MicrosoftEdgeCP.exe
5004	MicrosoftEdgeCP.exe
5004	MicrosoftEdgeCP.exe
5004	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeRestorePrivilege	1576	7zFM.exe
Token: 35	1576	7zFM.exe
Token: SeSecurityPrivilege	1576	7zFM.exe
Token: SeDebugPrivilege	3388	taskmgr.exe
Token: SeSystemProfilePrivilege	3388	taskmgr.exe
Token: SeCreateGlobalPrivilege	3388	taskmgr.exe
Token: 33	3388	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3388	taskmgr.exe
Token: SeSecurityPrivilege	1576	7zFM.exe
Token: SeLoadDriverPrivilege	64	celexware! (1).exe
Token: SeDebugPrivilege	1116	taskmgr.exe
Token: SeSystemProfilePrivilege	1116	taskmgr.exe
Token: SeCreateGlobalPrivilege	1116	taskmgr.exe
Token: SeDebugPrivilege	1264	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1264	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1264	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1264	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2924	MicrosoftEdge.exe
Token: SeDebugPrivilege	2924	MicrosoftEdge.exe
Token: SeShutdownPrivilege	2832	svchost.exe
Token: SeCreatePagefilePrivilege	2832	svchost.exe
Token: SeLoadDriverPrivilege	2832	svchost.exe
Token: SeLoadDriverPrivilege	2832	svchost.exe
Token: SeLoadDriverPrivilege	2832	svchost.exe
Token: SeLoadDriverPrivilege	2832	svchost.exe
Token: SeLoadDriverPrivilege	2832	svchost.exe
Token: SeLoadDriverPrivilege	2832	svchost.exe
Token: SeLoadDriverPrivilege	2832	svchost.exe
Token: SeLoadDriverPrivilege	2832	svchost.exe
Token: SeLoadDriverPrivilege	2832	svchost.exe
Token: SeLoadDriverPrivilege	2832	svchost.exe
Token: SeLoadDriverPrivilege	2832	svchost.exe
Token: SeLoadDriverPrivilege	2832	svchost.exe
Token: SeLoadDriverPrivilege	2832	svchost.exe
Token: SeLoadDriverPrivilege	2832	svchost.exe
Token: SeLoadDriverPrivilege	2832	svchost.exe
Token: SeLoadDriverPrivilege	2832	svchost.exe
Token: SeSecurityPrivilege	1576	7zFM.exe
Token: SeSecurityPrivilege	1576	7zFM.exe
Token: SeSecurityPrivilege	1576	7zFM.exe
Token: 33	1116	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1116	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1576	7zFM.exe
1576	7zFM.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
1576	7zFM.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
3388	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe
1116	taskmgr.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
812	loader.exe
3092	loader.exe
2924	MicrosoftEdge.exe
5004	MicrosoftEdgeCP.exe
1264	MicrosoftEdgeCP.exe
5004	MicrosoftEdgeCP.exe
5832	loader.exe
5356	OpenWith.exe
1836	OpenWith.exe
1836	OpenWith.exe
1836	OpenWith.exe
1836	OpenWith.exe
1836	OpenWith.exe
1836	OpenWith.exe
1836	OpenWith.exe
1836	OpenWith.exe
1836	OpenWith.exe
1836	OpenWith.exe
1836	OpenWith.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 1576	2188	cmd.exe	74
PID 2188 wrote to memory of 1576	2188	cmd.exe	74
PID 1576 wrote to memory of 5112	1576	7zFM.exe	76
PID 1576 wrote to memory of 5112	1576	7zFM.exe	76
PID 5112 wrote to memory of 5108	5112	login.exe	78
PID 5112 wrote to memory of 5108	5112	login.exe	78
PID 5108 wrote to memory of 812	5108	cmd.exe	79
PID 5108 wrote to memory of 812	5108	cmd.exe	79
PID 812 wrote to memory of 2492	812	loader.exe	80
PID 812 wrote to memory of 2492	812	loader.exe	80
PID 2492 wrote to memory of 4936	2492	cmd.exe	82
PID 2492 wrote to memory of 4936	2492	cmd.exe	82
PID 2492 wrote to memory of 2732	2492	cmd.exe	83
PID 2492 wrote to memory of 2732	2492	cmd.exe	83
PID 2492 wrote to memory of 936	2492	cmd.exe	84
PID 2492 wrote to memory of 936	2492	cmd.exe	84
PID 1576 wrote to memory of 64	1576	7zFM.exe	91
PID 1576 wrote to memory of 64	1576	7zFM.exe	91
PID 64 wrote to memory of 2320	64	celexware! (1).exe	93
PID 64 wrote to memory of 2320	64	celexware! (1).exe	93
PID 2320 wrote to memory of 2544	2320	cmd.exe	96
PID 2320 wrote to memory of 2544	2320	cmd.exe	96
PID 2320 wrote to memory of 732	2320	cmd.exe	94
PID 2320 wrote to memory of 732	2320	cmd.exe	94
PID 2320 wrote to memory of 4520	2320	cmd.exe	95
PID 2320 wrote to memory of 4520	2320	cmd.exe	95
PID 3092 wrote to memory of 640	3092	loader.exe	100
PID 3092 wrote to memory of 640	3092	loader.exe	100
PID 640 wrote to memory of 2772	640	cmd.exe	102
PID 640 wrote to memory of 2772	640	cmd.exe	102
PID 640 wrote to memory of 4440	640	cmd.exe	103
PID 640 wrote to memory of 4440	640	cmd.exe	103
PID 640 wrote to memory of 3988	640	cmd.exe	104
PID 640 wrote to memory of 3988	640	cmd.exe	104
PID 5004 wrote to memory of 3204	5004	MicrosoftEdgeCP.exe	112
PID 5004 wrote to memory of 3204	5004	MicrosoftEdgeCP.exe	112
PID 5004 wrote to memory of 3204	5004	MicrosoftEdgeCP.exe	112
PID 5004 wrote to memory of 3204	5004	MicrosoftEdgeCP.exe	112
PID 5004 wrote to memory of 3204	5004	MicrosoftEdgeCP.exe	112
PID 5004 wrote to memory of 3204	5004	MicrosoftEdgeCP.exe	112
PID 5004 wrote to memory of 3204	5004	MicrosoftEdgeCP.exe	112
PID 5004 wrote to memory of 3204	5004	MicrosoftEdgeCP.exe	112
PID 5004 wrote to memory of 3204	5004	MicrosoftEdgeCP.exe	112
PID 5004 wrote to memory of 3204	5004	MicrosoftEdgeCP.exe	112
PID 5004 wrote to memory of 3204	5004	MicrosoftEdgeCP.exe	112
PID 5004 wrote to memory of 3204	5004	MicrosoftEdgeCP.exe	112
PID 5832 wrote to memory of 1560	5832	loader.exe	125
PID 5832 wrote to memory of 1560	5832	loader.exe	125
PID 1560 wrote to memory of 1404	1560	cmd.exe	127
PID 1560 wrote to memory of 1404	1560	cmd.exe	127
PID 1560 wrote to memory of 4568	1560	cmd.exe	129
PID 1560 wrote to memory of 4568	1560	cmd.exe	129
PID 1560 wrote to memory of 5900	1560	cmd.exe	128
PID 1560 wrote to memory of 5900	1560	cmd.exe	128
PID 1836 wrote to memory of 308	1836	OpenWith.exe	132
PID 1836 wrote to memory of 308	1836	OpenWith.exe	132

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\hip.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\hip.rar"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Users\Admin\AppData\Local\Temp\7zO8267C997\login.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO8267C997\login.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5108
    - - C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe
        
        C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:812
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\system32\certutil.exe
        
        certutil -hashfile "C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe" MD5
        7⤵
        
        PID:4936
        
        C:\Windows\system32\find.exe
        
        find /i /v "md5"
        7⤵
        
        PID:2732
        
        C:\Windows\system32\find.exe
        
        find /i /v "certutil"
        7⤵
        
        PID:936
- - C:\Users\Admin\AppData\Local\Temp\7zO826E0779\celexware! (1).exe
    "C:\Users\Admin\AppData\Local\Temp\7zO826E0779\celexware! (1).exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Sets service image path in registry
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:64
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\7zO826E0779\celexware! (1).exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2320
    - - C:\Windows\system32\find.exe
        
        find /i /v "md5"
        5⤵
        
        PID:732
    - - C:\Windows\system32\find.exe
        
        find /i /v "certutil"
        5⤵
        
        PID:4520
    - - C:\Windows\system32\certutil.exe
        
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\7zO826E0779\celexware! (1).exe" MD5
        5⤵
        
        PID:2544

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3388

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3936

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1116

C:\Windows\System32\ebunne.exe
"C:\Windows\System32\ebunne.exe"
1⤵
PID:4088

C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe
"C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe" MD5
    3⤵
    PID:2772
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:4440
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:3988

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
PID:2532

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
PID:4692

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "http://www.bing.com/search?q=ebunne.exe ebunne.exe"
1⤵
PID:2880

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2924

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3376

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1264

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3204

C:\Windows\System32\ebunne.exe
"C:\Windows\System32\ebunne.exe"
1⤵
PID:2024

C:\Windows\System32\ebunne.exe
"C:\Windows\System32\ebunne.exe"
1⤵
PID:3104

C:\Windows\System32\Eap3Host.exe
"C:\Windows\System32\Eap3Host.exe"
1⤵
PID:5400

C:\Windows\System32\ebunne.exe
"C:\Windows\System32\ebunne.exe"
1⤵
PID:424

C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\SystemSettingsBroker.exe -Embedding
1⤵
PID:3896

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc
1⤵
PID:5140

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s SstpSvc
1⤵
PID:6044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:824

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2832

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:5184

C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe
"C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe" MD5
    3⤵
    PID:1404
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:5900
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:4568

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5356

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO8266EC2E\.text
  2⤵
  PID:308

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\UseReceive.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\3877292338.pri

Filesize
162KB

MD5
0d02b03a068d671348931cc20c048422

SHA1
67b6deacf1303acfcbab0b158157fdc03a02c8d5

SHA256
44f4263d65889ea8f0db3c6e31a956a4664e9200aba2612c9be7016feeb323c0

SHA512
805e7b4fafed39dec5ecc2ede0c65b6e103e6757e0bd43ecdce7c00932f59e3e7a68d2ea0818244dfeb691b022c1ccca590a3f4239f99e1cd8a29ba66daed358

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\810424605.pri

Filesize
2KB

MD5
a2942665b12ed000cd2ac95adef8e0cc

SHA1
ac194f8d30f659131d1c73af8d44e81eccab7fde

SHA256
bdc5de6c42c523a333c26160d212c62385b03f5ebdae5aa8c5d025ff3f8aa374

SHA512
4e5ba962ba97656974c390b45302d60f4c82d604feb6199d44e80497a40d0b0a9fd119ca17ac184809ca0821ab6813292892c433ed7277f65c275f37a96070b9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\XABE5XN3\favicon-trans-bg-blue-mg[1].ico

Filesize
4KB

MD5
30967b1b52cb6df18a8af8fcc04f83c9

SHA1
aaf67cd84fcd64fb2d8974d7135d6f1e4fc03588

SHA256
439b6089e45ef1e0c37ef88764d5c99a3b2752609c4e2af3376480d7ffcfaf2e

SHA512
7cb3c09a81fbd301741e7cf5296c406baf1c76685d354c54457c87f6471867390a1aeed9f95701eb9361d7dfacce31afd1d240841037fc1de4a120c66c1b088c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFA0AD6FB7590EA308.TMP

Filesize
16KB

MD5
04f055cbe2d6d86941f3129f048cd2eb

SHA1
b2508bcac6bdd117e13018a71ed299bdc421785e

SHA256
ebf8535bc6a74a2f8d59be869ed2ce5456918cfec99e5be958cc9a09ad3cdffd

SHA512
266525d37f5d8e3960563c2c2255df246681bee2283939bdf7ff23fa07c1f16ec519b200b881b27bb56f78f6639045f8e41315cce68d6258de24f15f0cc45be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8266EC2E\.text

Filesize
329KB

MD5
3e11f4ddfe305e0c6dc58d42ef7e9baf

SHA1
2a012d43fd67db789c5107b9c66793aad6e7e41c

SHA256
2276ae2eb24720df201ef9f49fb74a3eac1a3e6cbef191000391d5a4a15beeff

SHA512
26000adfa6d60d6b4ba861ce5ffd5fd86dc009af1d72f71dacb677ed339292a76cf65ce1868ffbdbdcb115dfcfcdaad6787b834407046033c17394386232ef77

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8267C997\login.exe

Filesize
429KB

MD5
b88444cf2c03ce4efe2a1608a379ee53

SHA1
68d9285ee72288656c258cf9db9c564226a48ddb

SHA256
d70e292a21ebc5ca1675ca585bcae52a51aad4bcee9bbbaf44b0a2cc635b64c7

SHA512
7c9e116a417f2a15d2ca3f70b61697c9e34b6131b12221032cde9d64c41993f6f8cfa34196ed99122aa34d59159955d6362827f0d4eee1688bce465539e8d633

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO826E0779\celexware! (1).exe

Filesize
4.0MB

MD5
e0f791ee5ec8fbc02d0d50730bbe54ce

SHA1
79e26ea4cbef52244855082bdce86f65aa2da00f

SHA256
e919724919f29ea9728aa7aca9695f14fb28c48a00bb7928d216e5e9807c34ce

SHA512
2fe2af1cb954cad00a5e73f343f257dc24031feb3891594177d19d2ed5ca9c68b2bcf2dc220f5ca4ef4014138aaad3befa0e57de8b55a84395bb3a8306501834

Download Submit
C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe

Filesize
4.1MB

MD5
9ecdc9ed1bea6c226f92d740d43400b9

SHA1
b5b5066cd4284733d8c3f3d7de3ca6653091ae10

SHA256
60c57f14c2e0e0df0bda16646b21dddceaee0159dafbbb8daba310d4e1b5be6c

SHA512
30bc705a2438288e3647d5adfc6119d751823970972b9c6b39a60384a2b7ac261986026b8d1c0b0ca7ee3d7e95363c97b873fdc5fad4096c903cb4e15bf57e43

Download Submit
C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe

Filesize
1.2MB

MD5
147978fb016b2d058976f7139163002c

SHA1
e6a635ef1d228aa720778a04314f0fabebe62f8f

SHA256
a64c5c3f39b64a8b680031079312e0387b7d09caf1418b18cb086eff21d68514

SHA512
be8aaa6a5d91076c8ca3a28681dac6055b7fef91c9876f9c6dca24c9a152efcd98c12ffdd370da4f9e192a91164b6a42877043d4aae79f22cdd9fd7dd99ea695

Download Submit
C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe

Filesize
921KB

MD5
4a8f4b0c183f1341e462b745ea73d571

SHA1
f536db94ea13c5b7fee4336af36d0e3f5776a07d

SHA256
3ffa7fdf815fcd05f74db3302573ada960c6cec14b22a12f640e1b21fe6f8770

SHA512
02d817da9f45aa72e60276b85c4a9a0b1b33d9d9708e3989453e7aa0161bf3e4f494d9ea97d16158ff6ff6ffd6b830f166bed7ec9c6f9633cefca40948f0993c

Download Submit
C:\Windows\INF\netrasa.PNF

Filesize
22KB

MD5
80648b43d233468718d717d10187b68d

SHA1
a1736e8f0e408ce705722ce097d1adb24ebffc45

SHA256
8ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380

SHA512
eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9

Download Submit
C:\Windows\INF\netsstpa.PNF

Filesize
6KB

MD5
01e21456e8000bab92907eec3b3aeea9

SHA1
39b34fe438352f7b095e24c89968fca48b8ce11c

SHA256
35ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f

SHA512
9d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec

Download Submit
memory/64-62-0x00007FF961CE0000-0x00007FF961EBB000-memory.dmp

Filesize
1.9MB

Download
memory/64-42-0x00007FF674B00000-0x00007FF6755A2000-memory.dmp

Filesize
10.6MB

Download
memory/64-116-0x00007FF961CE0000-0x00007FF961EBB000-memory.dmp

Filesize
1.9MB

Download
memory/64-117-0x00007FF674B00000-0x00007FF6755A2000-memory.dmp

Filesize
10.6MB

Download
memory/64-39-0x00007FF674B00000-0x00007FF6755A2000-memory.dmp

Filesize
10.6MB

Download
memory/64-40-0x00007FF961CE0000-0x00007FF961EBB000-memory.dmp

Filesize
1.9MB

Download
memory/64-41-0x00007FF674B00000-0x00007FF6755A2000-memory.dmp

Filesize
10.6MB

Download
memory/64-66-0x00007FF674B00000-0x00007FF6755A2000-memory.dmp

Filesize
10.6MB

Download
memory/64-43-0x00007FF674B00000-0x00007FF6755A2000-memory.dmp

Filesize
10.6MB

Download
memory/64-44-0x00007FF674B00000-0x00007FF6755A2000-memory.dmp

Filesize
10.6MB

Download
memory/64-45-0x00007FF674B00000-0x00007FF6755A2000-memory.dmp

Filesize
10.6MB

Download
memory/64-46-0x00007FF674B00000-0x00007FF6755A2000-memory.dmp

Filesize
10.6MB

Download
memory/64-47-0x00007FF674B00000-0x00007FF6755A2000-memory.dmp

Filesize
10.6MB

Download
memory/64-55-0x00007FF674B00000-0x00007FF6755A2000-memory.dmp

Filesize
10.6MB

Download
memory/812-27-0x00007FF961CE0000-0x00007FF961EBB000-memory.dmp

Filesize
1.9MB

Download
memory/812-16-0x00007FF635840000-0x00007FF6362DF000-memory.dmp

Filesize
10.6MB

Download
memory/812-58-0x00007FF635840000-0x00007FF6362DF000-memory.dmp

Filesize
10.6MB

Download
memory/812-19-0x00007FF635840000-0x00007FF6362DF000-memory.dmp

Filesize
10.6MB

Download
memory/812-18-0x00007FF635840000-0x00007FF6362DF000-memory.dmp

Filesize
10.6MB

Download
memory/812-17-0x00007FF635840000-0x00007FF6362DF000-memory.dmp

Filesize
10.6MB

Download
memory/812-10-0x00007FF635840000-0x00007FF6362DF000-memory.dmp

Filesize
10.6MB

Download
memory/812-11-0x00007FF961CE0000-0x00007FF961EBB000-memory.dmp

Filesize
1.9MB

Download
memory/812-12-0x00007FF635840000-0x00007FF6362DF000-memory.dmp

Filesize
10.6MB

Download
memory/812-31-0x00007FF635840000-0x00007FF6362DF000-memory.dmp

Filesize
10.6MB

Download
memory/812-13-0x00007FF635840000-0x00007FF6362DF000-memory.dmp

Filesize
10.6MB

Download
memory/812-14-0x00007FF635840000-0x00007FF6362DF000-memory.dmp

Filesize
10.6MB

Download
memory/812-15-0x00007FF635840000-0x00007FF6362DF000-memory.dmp

Filesize
10.6MB

Download
memory/3092-75-0x00007FF635840000-0x00007FF6362DF000-memory.dmp

Filesize
10.6MB

Download
memory/3092-104-0x00007FF635840000-0x00007FF6362DF000-memory.dmp

Filesize
10.6MB

Download
memory/3092-84-0x00007FF635840000-0x00007FF6362DF000-memory.dmp

Filesize
10.6MB

Download
memory/3092-87-0x00007FF635840000-0x00007FF6362DF000-memory.dmp

Filesize
10.6MB

Download
memory/3092-90-0x00007FF635840000-0x00007FF6362DF000-memory.dmp

Filesize
10.6MB

Download
memory/3092-91-0x00007FF635840000-0x00007FF6362DF000-memory.dmp

Filesize
10.6MB

Download
memory/3092-93-0x00007FF961CE0000-0x00007FF961EBB000-memory.dmp

Filesize
1.9MB

Download
memory/3092-95-0x00007FF635840000-0x00007FF6362DF000-memory.dmp

Filesize
10.6MB

Download
memory/3092-98-0x00007FF635840000-0x00007FF6362DF000-memory.dmp

Filesize
10.6MB

Download
memory/3092-81-0x00007FF635840000-0x00007FF6362DF000-memory.dmp

Filesize
10.6MB

Download
memory/3092-80-0x00007FF635840000-0x00007FF6362DF000-memory.dmp

Filesize
10.6MB

Download
memory/3092-79-0x00007FF635840000-0x00007FF6362DF000-memory.dmp

Filesize
10.6MB

Download
memory/3092-78-0x00007FF635840000-0x00007FF6362DF000-memory.dmp

Filesize
10.6MB

Download
memory/3092-76-0x00007FF635840000-0x00007FF6362DF000-memory.dmp

Filesize
10.6MB

Download
memory/3092-74-0x00007FF635840000-0x00007FF6362DF000-memory.dmp

Filesize
10.6MB

Download
memory/3092-73-0x00007FF961CE0000-0x00007FF961EBB000-memory.dmp

Filesize
1.9MB

Download
memory/3092-72-0x00007FF635840000-0x00007FF6362DF000-memory.dmp

Filesize
10.6MB

Download
memory/5832-355-0x00007FF635840000-0x00007FF6362DF000-memory.dmp

Filesize
10.6MB

Download
memory/5832-357-0x00007FF961CE0000-0x00007FF961EBB000-memory.dmp

Filesize
1.9MB

Download
memory/5832-338-0x00007FF961CE0000-0x00007FF961EBB000-memory.dmp

Filesize
1.9MB

Download