7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f

Analysis

max time kernel
141s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe
Size

1.2MB
MD5

90dadb3e75df9547aa5743575ca0dd36
SHA1

d98780eba073ca35cfb6904deb88e19ba65b5a34
SHA256

7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f
SHA512

c914dcbde55665e97ba00ff1bf2c941f57cfb881bab524855071bd83c310d4cabd4be1981b0443df555100998266a2c0eeb7eeee717fb39543a4da7c328ea45e
SSDEEP

24576:gjFtxhQ1FWTiIskCM0oY4Kq+mLNa4yWYKhD28:gwUOzJoYhuLkXWYF8

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Rundll32.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Packages\windows_ie_ac_001\AC\INetHistory\desktop.ini	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 15 IoCs

evasion

pid	Process
4620	taskkill.exe
1284	taskkill.exe
3640	taskkill.exe
4752	taskkill.exe
3792	taskkill.exe
4084	taskkill.exe
3064	taskkill.exe
620	taskkill.exe
4168	taskkill.exe
4380	taskkill.exe
4968	taskkill.exe
4408	taskkill.exe
4344	taskkill.exe
1216	taskkill.exe
1632	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs	Rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-VendorId = "4318"	Rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	Rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-SubSysId = "0"	Rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\DOMStorage	Rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	Rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	Rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	Rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0"	Rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	Rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Cleared = "1"	Rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Cleared_TIMESTAMP = 0ebf1bddfb94da01	Rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomStorageState\EdpCleanupState = "0"	Rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	Rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024"	Rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomStorageState	Rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU	Rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-DeviceId = "140"	Rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-SoftwareFallback = "0"	Rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-Revision = "0"	Rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024"	Rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	Rundll32.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	Rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133582948342980834"	Rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	rundll32.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Extensible Cache	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheLimit = "51200"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheVersion = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheVersion = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\DOMStorage	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\DomStorageState	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\Main	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\Main\OperationalData = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CachePrefix	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheLimit = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheLimit = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\DomStorageState\EdpCleanupState = "0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheVersion = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\EdpDomStorage	rundll32.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
3520	reg.exe
1436	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	4968	taskkill.exe
Token: SeDebugPrivilege	4344	taskkill.exe
Token: SeDebugPrivilege	620	taskkill.exe
Token: SeDebugPrivilege	4380	taskkill.exe
Token: SeDebugPrivilege	4752	taskkill.exe
Token: SeDebugPrivilege	4168	taskkill.exe
Token: SeDebugPrivilege	3064	taskkill.exe
Token: SeDebugPrivilege	4620	taskkill.exe
Token: SeDebugPrivilege	3640	taskkill.exe
Token: SeDebugPrivilege	1632	taskkill.exe
Token: SeDebugPrivilege	1216	taskkill.exe
Token: SeDebugPrivilege	3792	taskkill.exe
Token: SeDebugPrivilege	1284	taskkill.exe
Token: SeDebugPrivilege	4408	taskkill.exe
Token: SeDebugPrivilege	4084	taskkill.exe
Token: SeDebugPrivilege	936	rundll32.exe
Token: SeDebugPrivilege	936	rundll32.exe
Token: SeDebugPrivilege	936	rundll32.exe
Token: SeDebugPrivilege	936	rundll32.exe
Token: SeDebugPrivilege	936	rundll32.exe
Token: SeDebugPrivilege	936	rundll32.exe
Token: SeDebugPrivilege	936	rundll32.exe
Token: SeDebugPrivilege	936	rundll32.exe
Token: SeDebugPrivilege	936	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3844	Rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe
1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe
1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 4620	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	91
PID 1348 wrote to memory of 4620	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	91
PID 1348 wrote to memory of 4620	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	91
PID 1348 wrote to memory of 3792	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	92
PID 1348 wrote to memory of 3792	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	92
PID 1348 wrote to memory of 3792	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	92
PID 1348 wrote to memory of 4752	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	93
PID 1348 wrote to memory of 4752	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	93
PID 1348 wrote to memory of 4752	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	93
PID 1348 wrote to memory of 3064	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	94
PID 1348 wrote to memory of 3064	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	94
PID 1348 wrote to memory of 3064	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	94
PID 1348 wrote to memory of 3640	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	95
PID 1348 wrote to memory of 3640	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	95
PID 1348 wrote to memory of 3640	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	95
PID 1348 wrote to memory of 1284	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	96
PID 1348 wrote to memory of 1284	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	96
PID 1348 wrote to memory of 1284	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	96
PID 1348 wrote to memory of 1632	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	97
PID 1348 wrote to memory of 1632	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	97
PID 1348 wrote to memory of 1632	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	97
PID 1348 wrote to memory of 1216	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	98
PID 1348 wrote to memory of 1216	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	98
PID 1348 wrote to memory of 1216	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	98
PID 1348 wrote to memory of 4344	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	99
PID 1348 wrote to memory of 4344	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	99
PID 1348 wrote to memory of 4344	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	99
PID 1348 wrote to memory of 4408	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	100
PID 1348 wrote to memory of 4408	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	100
PID 1348 wrote to memory of 4408	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	100
PID 1348 wrote to memory of 4084	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	101
PID 1348 wrote to memory of 4084	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	101
PID 1348 wrote to memory of 4084	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	101
PID 1348 wrote to memory of 4168	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	102
PID 1348 wrote to memory of 4168	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	102
PID 1348 wrote to memory of 4168	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	102
PID 1348 wrote to memory of 4968	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	103
PID 1348 wrote to memory of 4968	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	103
PID 1348 wrote to memory of 4968	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	103
PID 1348 wrote to memory of 620	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	104
PID 1348 wrote to memory of 620	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	104
PID 1348 wrote to memory of 620	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	104
PID 1348 wrote to memory of 3844	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	105
PID 1348 wrote to memory of 3844	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	105
PID 1348 wrote to memory of 3844	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	105
PID 1348 wrote to memory of 3520	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	120
PID 1348 wrote to memory of 3520	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	120
PID 1348 wrote to memory of 3520	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	120
PID 1348 wrote to memory of 1436	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	121
PID 1348 wrote to memory of 1436	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	121
PID 1348 wrote to memory of 1436	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	121
PID 1348 wrote to memory of 5084	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	124
PID 1348 wrote to memory of 5084	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	124
PID 1348 wrote to memory of 5084	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	124
PID 1348 wrote to memory of 3160	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	125
PID 1348 wrote to memory of 3160	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	125
PID 1348 wrote to memory of 3160	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	125
PID 1348 wrote to memory of 4380	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	126
PID 1348 wrote to memory of 4380	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	126
PID 1348 wrote to memory of 4380	1348	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	126
PID 3160 wrote to memory of 416	3160	net.exe	131
PID 3160 wrote to memory of 416	3160	net.exe	131
PID 3160 wrote to memory of 416	3160	net.exe	131
PID 5084 wrote to memory of 5012	5084	net.exe	130

C:\Users\Admin\AppData\Local\Temp\7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe
"C:\Users\Admin\AppData\Local\Temp\7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im TslGame.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4620
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im TslGame_BE.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3792
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im TslGame_UC.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4752
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im TslGame_ZK.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im ExecPubg.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3640
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im BEService.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im BEService_x64.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im BroCrashReporter.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1216
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im ucldr_battlegrounds_gl.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4344
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im reporter.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4408
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im wscript.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4084
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im iigw_server.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4168
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im Fondue.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4968
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im zksvc.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:620
- C:\Windows\SysWOW64\Rundll32.exe
  Rundll32 InetCpl.cpl,ClearMyTracksByProcess 255
  2⤵
  - Checks computer location settings
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  PID:3844
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -ResetDestinationList
    3⤵
    PID:4640
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:255 WinX:0 WinY:0 IEFrame:00000000
    3⤵
    - Drops desktop.ini file(s)
    - Modifies Internet Explorer settings
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:936
- C:\Windows\SysWOW64\reg.exe
  reg delete HKLM\SYSTEM\CurrentControlSet\Services\eamonm /f
  2⤵
  - Modifies registry key
  PID:3520
- C:\Windows\SysWOW64\reg.exe
  reg delete HKLM\SYSTEM\CurrentControlSet\Services\edevmon /f
  2⤵
  - Modifies registry key
  PID:1436
- C:\Windows\SysWOW64\net.exe
  net stop BEService
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BEService
    3⤵
    PID:5012
- C:\Windows\SysWOW64\net.exe
  net stop BEDaisy
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BEDaisy
    3⤵
    PID:416
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im 360chrome.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3816 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\windows_ie_ac_001\AC\INetHistory\desktop.ini

Filesize
130B

MD5
941682911c20b2dabecb20476f91c98a

SHA1
0b0becf019cb15e75cdfa23bf0d4cb976f109baa

SHA256
3fef99e07b0455f88a5bb59e83329d0bfcebe078d907985d0abf70be26b9b89a

SHA512
a12f5caf5fd39cf2ae600e4378b9296d07787a83ae76bc410b89182a2f8e3202c4ca80d811d548193dff439541de9447f9fa141ebfd771e7ab7a6053cb4af2b3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads