sality | hxxps://gofile[.]io/d/bST3VE

Windows Service

T1543.003

Processes:

Digital Keylogger 3.3.exewinsrv.exeSilent Keylogger v1.6 Public Version By BUNNN.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	Digital Keylogger 3.3.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	Digital Keylogger 3.3.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	winsrv.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	winsrv.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	Digital Keylogger 3.3.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winsrv.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 3 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

Processes:

Digital Keylogger 3.3.exeSilent Keylogger v1.6 Public Version By BUNNN.exewinsrv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Digital Keylogger 3.3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winsrv.exe

Windows security bypass 2 TTPs 18 IoCs

Disable or Modify Tools

Modify Registry

Processes:

winsrv.exeDigital Keylogger 3.3.exeSilent Keylogger v1.6 Public Version By BUNNN.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Digital Keylogger 3.3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Digital Keylogger 3.3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	Digital Keylogger 3.3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Digital Keylogger 3.3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Digital Keylogger 3.3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Digital Keylogger 3.3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	Silent Keylogger v1.6 Public Version By BUNNN.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\rhj4BB2.tmp	acprotect

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

winsrv.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation winsrv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	winsrv.exe

Executes dropped EXE 32 IoCs

Processes:

9LOG.exeAux Logger v3.exeRapZo Logger v 1.5 ( Public Edition ).exeAux Logger v3.exeAnonymous Keylogger.exeDigital Keylogger 3.3.exeDracula Logger.exeecodsoft-keylogger.exeecodsoft-keylogger.tmpwinsrv.exeRunOnce.exeecodsoft-keylogger.exeecodsoft-keylogger.tmpFungus Keylogger v0.1.1.exeGalaxy Logger.exeGhostMsn_Builder.exeupx.exeHBStub.exeEditor.exeiks2k20d.exeiksinstall.exeJoDeDoR Keylogger 1.0.exeKeyLogger.exeVulcan Logger.exeTTiger Keylogger v1.0.exeTotalLoggerBuilder.exeSyslogger Builder.exeTotalLoggerBuilder.exeTotalLoggerBuilder.exeSilent Keylogger v1.6 Public Version By BUNNN.exeRinLogger.exeRinLogger.exe

pid	process
2900	9LOG.exe
2708	Aux Logger v3.exe
5152	RapZo Logger v 1.5 ( Public Edition ).exe
3880	Aux Logger v3.exe
2936	Anonymous Keylogger.exe
3000	Digital Keylogger 3.3.exe
4176	Dracula Logger.exe
4696	ecodsoft-keylogger.exe
2164	ecodsoft-keylogger.tmp
2960	winsrv.exe
4044	RunOnce.exe
1992	ecodsoft-keylogger.exe
6032	ecodsoft-keylogger.tmp
4364	Fungus Keylogger v0.1.1.exe
3552	Galaxy Logger.exe
4628	GhostMsn_Builder.exe
2700	upx.exe
3448	HBStub.exe
6064	Editor.exe
5088	iks2k20d.exe
812	iksinstall.exe
1684	JoDeDoR Keylogger 1.0.exe
376	KeyLogger.exe
3640	Vulcan Logger.exe
5476	TTiger Keylogger v1.0.exe
4604	TotalLoggerBuilder.exe
3720	Syslogger Builder.exe
5540	TotalLoggerBuilder.exe
4664	TotalLoggerBuilder.exe
5432	Silent Keylogger v1.6 Public Version By BUNNN.exe
4524	RinLogger.exe
5664	RinLogger.exe

Loads dropped DLL 64 IoCs

Processes:

winsrv.exeRunOnce.exeecodsoft-keylogger.exeecodsoft-keylogger.tmpFungus Keylogger v0.1.1.exeGalaxy Logger.exeGhostMsn_Builder.exeHBStub.exeEditor.exeiks2k20d.exeiksinstall.exeJoDeDoR Keylogger 1.0.exeKeyLogger.exeVulcan Logger.exeTTiger Keylogger v1.0.exeTotalLoggerBuilder.exeSyslogger Builder.exeTotalLoggerBuilder.exe

pid	process
2960	winsrv.exe
2960	winsrv.exe
2960	winsrv.exe
2960	winsrv.exe
2960	winsrv.exe
2960	winsrv.exe
2960	winsrv.exe
2960	winsrv.exe
4044	RunOnce.exe
4044	RunOnce.exe
4044	RunOnce.exe
1992	ecodsoft-keylogger.exe
1992	ecodsoft-keylogger.exe
1992	ecodsoft-keylogger.exe
6032	ecodsoft-keylogger.tmp
6032	ecodsoft-keylogger.tmp
6032	ecodsoft-keylogger.tmp
4364	Fungus Keylogger v0.1.1.exe
4364	Fungus Keylogger v0.1.1.exe
4364	Fungus Keylogger v0.1.1.exe
3552	Galaxy Logger.exe
3552	Galaxy Logger.exe
3552	Galaxy Logger.exe
4628	GhostMsn_Builder.exe
4628	GhostMsn_Builder.exe
4628	GhostMsn_Builder.exe
3448	HBStub.exe
3448	HBStub.exe
3448	HBStub.exe
6064	Editor.exe
6064	Editor.exe
6064	Editor.exe
5088	iks2k20d.exe
5088	iks2k20d.exe
2960	winsrv.exe
2960	winsrv.exe
5088	iks2k20d.exe
5088	iks2k20d.exe
5088	iks2k20d.exe
812	iksinstall.exe
812	iksinstall.exe
812	iksinstall.exe
812	iksinstall.exe
812	iksinstall.exe
1684	JoDeDoR Keylogger 1.0.exe
1684	JoDeDoR Keylogger 1.0.exe
1684	JoDeDoR Keylogger 1.0.exe
376	KeyLogger.exe
376	KeyLogger.exe
376	KeyLogger.exe
3640	Vulcan Logger.exe
3640	Vulcan Logger.exe
3640	Vulcan Logger.exe
5476	TTiger Keylogger v1.0.exe
5476	TTiger Keylogger v1.0.exe
5476	TTiger Keylogger v1.0.exe
4604	TotalLoggerBuilder.exe
4604	TotalLoggerBuilder.exe
4604	TotalLoggerBuilder.exe
3720	Syslogger Builder.exe
3720	Syslogger Builder.exe
3720	Syslogger Builder.exe
5540	TotalLoggerBuilder.exe
5540	TotalLoggerBuilder.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3000-970-0x0000000002A30000-0x0000000003ABE000-memory.dmp	upx
behavioral1/memory/3000-973-0x0000000002A30000-0x0000000003ABE000-memory.dmp	upx
behavioral1/memory/3000-976-0x0000000002A30000-0x0000000003ABE000-memory.dmp	upx
behavioral1/memory/3000-979-0x0000000002A30000-0x0000000003ABE000-memory.dmp	upx
behavioral1/memory/3000-983-0x0000000002A30000-0x0000000003ABE000-memory.dmp	upx
behavioral1/memory/3000-984-0x0000000002A30000-0x0000000003ABE000-memory.dmp	upx
behavioral1/memory/3000-985-0x0000000002A30000-0x0000000003ABE000-memory.dmp	upx
behavioral1/memory/3000-986-0x0000000002A30000-0x0000000003ABE000-memory.dmp	upx
behavioral1/memory/3000-987-0x0000000002A30000-0x0000000003ABE000-memory.dmp	upx
behavioral1/memory/3000-988-0x0000000002A30000-0x0000000003ABE000-memory.dmp	upx
behavioral1/memory/3000-989-0x0000000002A30000-0x0000000003ABE000-memory.dmp	upx
behavioral1/memory/3000-990-0x0000000002A30000-0x0000000003ABE000-memory.dmp	upx
behavioral1/memory/2700-1470-0x0000000000400000-0x0000000000546000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\7zO42585E9C\Editor.exe	upx
behavioral1/memory/6064-1492-0x0000000000400000-0x00000000005AB000-memory.dmp	upx
behavioral1/memory/6064-1493-0x0000000000400000-0x00000000005AB000-memory.dmp	upx

Windows security modification 2 TTPs 21 IoCs

Disable or Modify Tools

Modify Registry

Processes:

Digital Keylogger 3.3.exeSilent Keylogger v1.6 Public Version By BUNNN.exewinsrv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Digital Keylogger 3.3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Digital Keylogger 3.3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	winsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Digital Keylogger 3.3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Digital Keylogger 3.3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	Digital Keylogger 3.3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	Digital Keylogger 3.3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Digital Keylogger 3.3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

winsrv.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iSafeCW = "C:\\Program Files (x86)\\Ecodsoft Keylogger\\winsrv.exe"	winsrv.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

System Information Discovery

T1082

Processes:

winsrv.exeDigital Keylogger 3.3.exeSilent Keylogger v1.6 Public Version By BUNNN.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Digital Keylogger 3.3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Silent Keylogger v1.6 Public Version By BUNNN.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

9LOG.exe

description ioc process

File created C:\Windows\assembly\Desktop.ini 9LOG.exe
File opened for modification C:\Windows\assembly\Desktop.ini 9LOG.exe
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

winsrv.exe

description ioc process

File opened (read-only) \??\E: winsrv.exe

description	ioc	process
File opened (read-only)	\??\E:	winsrv.exe

Drops file in System32 directory 2 IoCs

Processes:

Silent Keylogger v1.6 Public Version By BUNNN.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.OCX	Silent Keylogger v1.6 Public Version By BUNNN.exe
File opened for modification	C:\Windows\SysWOW64\comdlg32.ocx	Silent Keylogger v1.6 Public Version By BUNNN.exe

Drops file in Program Files directory 64 IoCs

Processes:

ecodsoft-keylogger.tmpwinsrv.exeecodsoft-keylogger.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\itemkey.png	ecodsoft-keylogger.tmp
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\data.mdb	winsrv.exe
File created	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\is-CHR87.tmp	ecodsoft-keylogger.tmp
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\cdrom60.png	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\is-UVEPL.tmp	ecodsoft-keylogger.tmp
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\stkBk.png	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\is-P99V8.tmp	ecodsoft-keylogger.tmp
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\iSafeProtect.dll	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\is-S4T4C.tmp	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\is-9NPD0.tmp	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\is-7C2LG.tmp	ecodsoft-keylogger.tmp
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\logo.png	ecodsoft-keylogger.tmp
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\hotbg.png	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\is-2D3TK.tmp	ecodsoft-keylogger.tmp
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\Skin	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\is-JF2LR.tmp	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\is-EUT3F.tmp	ecodsoft-keylogger.tmp
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\logviewicn.png	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\is-2E7L9.tmp	ecodsoft-keylogger.tmp
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\RunOnce.exe	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\is-1N1BM.tmp	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\is-P73M7.tmp	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\is-IFECM.tmp	ecodsoft-keylogger.tmp
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\zlib1d.dll	ecodsoft-keylogger.tmp
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\hotkey.gif	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\is-QNR30.tmp	ecodsoft-keylogger.tmp
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\updater.png	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\is-NLO2B.tmp	ecodsoft-keylogger.tmp
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\LogTag.png	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\is-IQ36O.tmp	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\is-BBU16.tmp	ecodsoft-keylogger.tmp
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\yahoo60.png	ecodsoft-keylogger.tmp
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\Activity.dll	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\unins000.dat	ecodsoft-keylogger.tmp
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\scanstop.png	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\is-3BE0G.tmp	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\is-6B691.tmp	ecodsoft-keylogger.tmp
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\doc60.png	ecodsoft-keylogger.tmp
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\system.mdb	winsrv.exe
File created	C:\Program Files (x86)\Ecodsoft Keylogger\is-N9J02.tmp	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\is-0UD3C.tmp	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\is-0C2HT.tmp	ecodsoft-keylogger.tmp
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\PasswordTip.png	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\is-I5RS3.tmp	ecodsoft-keylogger.tmp
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\log.png	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\is-MRIRD.tmp	ecodsoft-keylogger.tmp
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\facebook.png	ecodsoft-keylogger.tmp
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\Skin	ecodsoft-keylogger.tmp
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\data.mdb	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\is-R00M4.tmp	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\is-49UL7.tmp	ecodsoft-keylogger.tmp
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\register.png	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\is-O62VS.tmp	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\is-GNLNQ.tmp	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\is-LH6OE.tmp	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\is-M7OMV.tmp	ecodsoft-keylogger.tmp
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\uninstall.png	ecodsoft-keylogger.tmp
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\quit.png	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\is-AUH6S.tmp	ecodsoft-keylogger.tmp
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\MainScan.gif	ecodsoft-keylogger.tmp
File created	C:\Program Files (x86)\Ecodsoft Keylogger\is-3KHFA.tmp	ecodsoft-keylogger.tmp
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\smartsense.png	ecodsoft-keylogger.tmp
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\pswdbtn.png	ecodsoft-keylogger.tmp
File opened for modification	C:\Program Files (x86)\Ecodsoft Keylogger\Skin\usb60.png	ecodsoft-keylogger.tmp

Drops file in Windows directory 5 IoCs

Processes:

9LOG.exeDigital Keylogger 3.3.exeiksinstall.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	9LOG.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	9LOG.exe
File opened for modification	C:\Windows\SYSTEM.INI	Digital Keylogger 3.3.exe
File opened for modification	C:\Windows\iksinstall.INI	iksinstall.exe
File opened for modification	C:\Windows\assembly	9LOG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

Processes:

Silent Keylogger v1.6 Public Version By BUNNN.exeOpenWith.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ = "ICommonDialog"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Version	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32\ = "C:\\Windows\\SysWow64\\comdlg32.ocx"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\TypeLib\Version = "1.2"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ = "ICommonDialogEvents"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\TypeLib	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\MiscStatus\1\ = "132499"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\ = "Microsoft Common Dialog Control 6.0"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\FLAGS\ = "2"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog\CLSID	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}\InprocServer32\ = "C:\\Windows\\SysWow64\\comdlg32.ocx"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\HELPDIR\	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}\InprocServer32\ = "C:\\Windows\\SysWow64\\comdlg32.ocx"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\VersionIndependentProgID\ = "MSComDlg.CommonDialog"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid32	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\TypeLib\ = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog.1\CLSID\ = "{F9043C85-F6F2-101A-A3C9-08002B2F49FB}"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}\ = "Common Dialog Color Property Page Object"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog\CurVer	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog\CurVer\ = "MSComDlg.CommonDialog.1"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}\ = "Common Dialog Font Property Page Object"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}\InprocServer32	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib\Version = "1.2"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\MiscStatus	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}\InprocServer32	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\HELPDIR	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\TypeLib\ = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ = "ICommonDialogEvents"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib\Version = "1.2"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ToolboxBitmap32	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\InprocServer32	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ProxyStubClsid32	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog\ = "Microsoft Common Dialog Control, version 6.0"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ProgID\ = "MSComDlg.CommonDialog.1"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32\ = "C:\\Windows\\SysWow64\\comdlg32.ocx"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\InprocServer32\ = "C:\\Windows\\SysWow64\\comdlg32.ocx"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ProgID	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib	Silent Keylogger v1.6 Public Version By BUNNN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Version\ = "1.2"	Silent Keylogger v1.6 Public Version By BUNNN.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exeDigital Keylogger 3.3.exeSilent Keylogger v1.6 Public Version By BUNNN.exewinsrv.exe

pid	process
1660	msedge.exe
1660	msedge.exe
4192	msedge.exe
4192	msedge.exe
2500	identity_helper.exe
2500	identity_helper.exe
5716	msedge.exe
5716	msedge.exe
3000	Digital Keylogger 3.3.exe
3000	Digital Keylogger 3.3.exe
5432	Silent Keylogger v1.6 Public Version By BUNNN.exe
5432	Silent Keylogger v1.6 Public Version By BUNNN.exe
2960	winsrv.exe
2960	winsrv.exe

Suspicious behavior: GetForegroundWindowSpam 10 IoCs

Processes:

7zFM.exeGalaxy Logger.exe7zFM.exe7zFM.exe7zFM.exe7zFM.exe7zFM.exe7zFM.exeKeyLogger.exeTotalLoggerBuilder.exe

pid	process
6048	7zFM.exe
3552	Galaxy Logger.exe
5340	7zFM.exe
4908	7zFM.exe
1316	7zFM.exe
540	7zFM.exe
5384	7zFM.exe
5956	7zFM.exe
376	KeyLogger.exe
5540	TotalLoggerBuilder.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

4192 msedge.exe
4192 msedge.exe
4192 msedge.exe
4192 msedge.exe
4192 msedge.exe
4192 msedge.exe
4192 msedge.exe
4192 msedge.exe
4192 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exeDigital Keylogger 3.3.exe

description	pid	process
Token: SeRestorePrivilege	6048	7zFM.exe
Token: 35	6048	7zFM.exe
Token: SeSecurityPrivilege	6048	7zFM.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe
Token: SeDebugPrivilege	3000	Digital Keylogger 3.3.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe7zFM.exeDigital Keylogger 3.3.exe7zFM.exeecodsoft-keylogger.tmpecodsoft-keylogger.tmp7zFM.exe7zFM.exe7zFM.exe7zFM.exe7zFM.exeiksinstall.exe

pid	process
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
6048	7zFM.exe
6048	7zFM.exe
3000	Digital Keylogger 3.3.exe
5192	7zFM.exe
5192	7zFM.exe
2164	ecodsoft-keylogger.tmp
6032	ecodsoft-keylogger.tmp
2500	7zFM.exe
2500	7zFM.exe
5340	7zFM.exe
5340	7zFM.exe
4908	7zFM.exe
4908	7zFM.exe
1316	7zFM.exe
1316	7zFM.exe
540	7zFM.exe
540	7zFM.exe
812	iksinstall.exe
812	iksinstall.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exeDigital Keylogger 3.3.exeiksinstall.exeTotalLoggerBuilder.exeTotalLoggerBuilder.exeTotalLoggerBuilder.exe

pid	process
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
3000	Digital Keylogger 3.3.exe
812	iksinstall.exe
812	iksinstall.exe
812	iksinstall.exe
812	iksinstall.exe
4604	TotalLoggerBuilder.exe
4604	TotalLoggerBuilder.exe
4604	TotalLoggerBuilder.exe
4604	TotalLoggerBuilder.exe
4604	TotalLoggerBuilder.exe
4604	TotalLoggerBuilder.exe
5540	TotalLoggerBuilder.exe
5540	TotalLoggerBuilder.exe
5540	TotalLoggerBuilder.exe
5540	TotalLoggerBuilder.exe
4664	TotalLoggerBuilder.exe
4664	TotalLoggerBuilder.exe
5540	TotalLoggerBuilder.exe
4664	TotalLoggerBuilder.exe
5540	TotalLoggerBuilder.exe
4664	TotalLoggerBuilder.exe
5540	TotalLoggerBuilder.exe
4664	TotalLoggerBuilder.exe
5540	TotalLoggerBuilder.exe
5540	TotalLoggerBuilder.exe
4664	TotalLoggerBuilder.exe
5540	TotalLoggerBuilder.exe
4664	TotalLoggerBuilder.exe
5540	TotalLoggerBuilder.exe
4664	TotalLoggerBuilder.exe
4664	TotalLoggerBuilder.exe
5540	TotalLoggerBuilder.exe
5540	TotalLoggerBuilder.exe
5540	TotalLoggerBuilder.exe
5540	TotalLoggerBuilder.exe
5540	TotalLoggerBuilder.exe
5540	TotalLoggerBuilder.exe
5540	TotalLoggerBuilder.exe
5540	TotalLoggerBuilder.exe
5540	TotalLoggerBuilder.exe

Suspicious use of SetWindowsHookEx 29 IoCs

Processes:

Digital Keylogger 3.3.exeecodsoft-keylogger.exeecodsoft-keylogger.tmpwinsrv.exeRunOnce.exeecodsoft-keylogger.exeecodsoft-keylogger.tmpFungus Keylogger v0.1.1.exeGhostMsn_Builder.exeOpenWith.exeHBStub.exeOpenWith.exeiks2k20d.exeiksinstall.exeOpenWith.exeJoDeDoR Keylogger 1.0.exeKeyLogger.exeSyslogger Builder.exeSilent Keylogger v1.6 Public Version By BUNNN.exe

pid	process
3000	Digital Keylogger 3.3.exe
3000	Digital Keylogger 3.3.exe
4696	ecodsoft-keylogger.exe
2164	ecodsoft-keylogger.tmp
2960	winsrv.exe
2960	winsrv.exe
2960	winsrv.exe
2960	winsrv.exe
2960	winsrv.exe
4044	RunOnce.exe
4044	RunOnce.exe
4044	RunOnce.exe
1992	ecodsoft-keylogger.exe
6032	ecodsoft-keylogger.tmp
4364	Fungus Keylogger v0.1.1.exe
4628	GhostMsn_Builder.exe
4628	GhostMsn_Builder.exe
4240	OpenWith.exe
3448	HBStub.exe
3644	OpenWith.exe
5088	iks2k20d.exe
812	iksinstall.exe
812	iksinstall.exe
4864	OpenWith.exe
1684	JoDeDoR Keylogger 1.0.exe
376	KeyLogger.exe
3720	Syslogger Builder.exe
3720	Syslogger Builder.exe
5432	Silent Keylogger v1.6 Public Version By BUNNN.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4192 wrote to memory of 4872	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 4872	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 3916	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 1660	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 1660	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 4004	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 4004	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 4004	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 4004	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 4004	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 4004	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 4004	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 4004	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 4004	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 4004	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 4004	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 4004	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 4004	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 4004	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 4004	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 4004	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 4004	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 4004	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 4004	4192	msedge.exe	msedge.exe
PID 4192 wrote to memory of 4004	4192	msedge.exe	msedge.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

Processes:

Digital Keylogger 3.3.exeSilent Keylogger v1.6 Public Version By BUNNN.exewinsrv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Digital Keylogger 3.3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Silent Keylogger v1.6 Public Version By BUNNN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winsrv.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:776

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:332

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2532

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3112

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/bST3VE
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8a3746f8,0x7ffa8a374708,0x7ffa8a374718
3⤵
PID:4872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,9100567294469044556,1467103746894282159,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
3⤵
PID:3916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,9100567294469044556,1467103746894282159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,9100567294469044556,1467103746894282159,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
3⤵
PID:4004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9100567294469044556,1467103746894282159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
3⤵
PID:2120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9100567294469044556,1467103746894282159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
3⤵
PID:4496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9100567294469044556,1467103746894282159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
3⤵
PID:2620

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,9100567294469044556,1467103746894282159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
3⤵
PID:3312

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,9100567294469044556,1467103746894282159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9100567294469044556,1467103746894282159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
3⤵
PID:1084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9100567294469044556,1467103746894282159,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
3⤵
PID:4764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9100567294469044556,1467103746894282159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
3⤵
PID:5028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9100567294469044556,1467103746894282159,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
3⤵
PID:5040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9100567294469044556,1467103746894282159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
3⤵
PID:5268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2036,9100567294469044556,1467103746894282159,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5256 /prefetch:8
3⤵
PID:5512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9100567294469044556,1467103746894282159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
3⤵
PID:5520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2036,9100567294469044556,1467103746894282159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5716

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\#keyloggers.rar"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6048

C:\Users\Admin\Desktop\#keyloggers\9Log\9LOG.exe
"C:\Users\Admin\Desktop\#keyloggers\9Log\9LOG.exe"
2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
PID:2900

C:\Users\Admin\Desktop\#keyloggers\Aux Logger v3.0.0.0 Monitor\Aux Logger v3.exe
"C:\Users\Admin\Desktop\#keyloggers\Aux Logger v3.0.0.0 Monitor\Aux Logger v3.exe"
2⤵
- Executes dropped EXE
PID:2708

C:\Users\Admin\Desktop\#keyloggers\RapZo Logger 1.5 Public Edition\RapZo Logger v 1.5 ( Public Edition ).exe
"C:\Users\Admin\Desktop\#keyloggers\RapZo Logger 1.5 Public Edition\RapZo Logger v 1.5 ( Public Edition ).exe"
2⤵
- Executes dropped EXE
PID:5152

C:\Users\Admin\Desktop\#keyloggers\Aux Logger v3.0.0.0 Monitor\Aux Logger v3.exe
"C:\Users\Admin\Desktop\#keyloggers\Aux Logger v3.0.0.0 Monitor\Aux Logger v3.exe"
2⤵
- Executes dropped EXE
PID:3880

C:\Users\Admin\Desktop\#keyloggers\Anonymous Keylogger.exe
"C:\Users\Admin\Desktop\#keyloggers\Anonymous Keylogger.exe"
2⤵
- Executes dropped EXE
PID:2936

C:\Users\Admin\Desktop\#keyloggers\Digital Keylogger 3.3.exe
"C:\Users\Admin\Desktop\#keyloggers\Digital Keylogger 3.3.exe"
2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3000

C:\Users\Admin\Desktop\#keyloggers\Dracula Logger.exe
"C:\Users\Admin\Desktop\#keyloggers\Dracula Logger.exe"
2⤵
- Executes dropped EXE
PID:4176

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\#keyloggers\Ecodsoft_Keylogger.rar"
2⤵
- Suspicious use of FindShellTrayWindow
PID:5192

C:\Users\Admin\Desktop\ecodsoft-keylogger\ecodsoft-keylogger.exe
"C:\Users\Admin\Desktop\ecodsoft-keylogger\ecodsoft-keylogger.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4696

C:\Users\Admin\AppData\Local\Temp\is-FHCFU.tmp\ecodsoft-keylogger.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FHCFU.tmp\ecodsoft-keylogger.tmp" /SL5="$1036A,1183210,54272,C:\Users\Admin\Desktop\ecodsoft-keylogger\ecodsoft-keylogger.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2164

C:\Program Files (x86)\Ecodsoft Keylogger\winsrv.exe
"C:\Program Files (x86)\Ecodsoft Keylogger\winsrv.exe"
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2960

C:\Program Files (x86)\Ecodsoft Keylogger\RunOnce.exe
"C:\Program Files (x86)\Ecodsoft Keylogger\RunOnce.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4044

C:\Users\Admin\Desktop\ecodsoft-keylogger\ecodsoft-keylogger.exe
"C:\Users\Admin\Desktop\ecodsoft-keylogger\ecodsoft-keylogger.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Users\Admin\AppData\Local\Temp\is-NKDVI.tmp\ecodsoft-keylogger.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NKDVI.tmp\ecodsoft-keylogger.tmp" /SL5="$F003E,1183210,54272,C:\Users\Admin\Desktop\ecodsoft-keylogger\ecodsoft-keylogger.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:6032

C:\Users\Admin\Desktop\KeySpy\KeySpy.exe
"C:\Users\Admin\Desktop\KeySpy\KeySpy.exe"
2⤵
PID:1696

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\#keyloggers\Fungus_Keylogger_v0.1.1.rar"
2⤵
- Suspicious use of FindShellTrayWindow
PID:2500

C:\Users\Admin\Desktop\Fungus Keylogger v0.1.1\Fungus Keylogger v0.1.1.exe
"C:\Users\Admin\Desktop\Fungus Keylogger v0.1.1\Fungus Keylogger v0.1.1.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4364

C:\Users\Admin\Desktop\#keyloggers\Galaxy Logger.exe
"C:\Users\Admin\Desktop\#keyloggers\Galaxy Logger.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:3552

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\#keyloggers\GhostMsn_Builder.rar"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:5340

C:\Users\Admin\Desktop\GhostMsn_Builder\GhostMsn_Builder\GhostMsn_Builder.exe
"C:\Users\Admin\Desktop\GhostMsn_Builder\GhostMsn_Builder\GhostMsn_Builder.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4628

C:\Users\Admin\Desktop\GhostMsn_Builder\GhostMsn_Builder\upx.exe
"C:\Users\Admin\Desktop\GhostMsn_Builder\GhostMsn_Builder\upx.exe"
2⤵
- Executes dropped EXE
PID:2700

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\#keyloggers\HB_v1.2.1_beta.rar"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4908

C:\Users\Admin\Desktop\HB_v1.2.1_beta\HBStub.exe
"C:\Users\Admin\Desktop\HB_v1.2.1_beta\HBStub.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3448

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\#keyloggers\IKlogger_v0.1.rar"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1316

C:\Users\Admin\AppData\Local\Temp\7zO42585E9C\Editor.exe
"C:\Users\Admin\AppData\Local\Temp\7zO42585E9C\Editor.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6064

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\#keyloggers\Invisible_Keylogger_v2.rar"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:540

C:\Users\Admin\Desktop\iks2k20d.exe
"C:\Users\Admin\Desktop\iks2k20d.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5088

C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\iksinstall.exe
.\iksinstall.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:812

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\#keyloggers\JoDeDoR_Keylogger_v1.0.rar"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:5384

C:\Users\Admin\Desktop\JoDeDoR Keylogger 1.0.exe
"C:\Users\Admin\Desktop\JoDeDoR Keylogger 1.0.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1684

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\#keyloggers\Key_and_Windows_logger.rar"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:5956

C:\Users\Admin\Desktop\KeyLogger.exe
"C:\Users\Admin\Desktop\KeyLogger.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:376

C:\Users\Admin\Desktop\#keyloggers\Vulcan Logger.exe
"C:\Users\Admin\Desktop\#keyloggers\Vulcan Logger.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3640

C:\Users\Admin\Desktop\#keyloggers\TTiger Keylogger v1.0.exe
"C:\Users\Admin\Desktop\#keyloggers\TTiger Keylogger v1.0.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5476

C:\Users\Admin\Desktop\#keyloggers\TotalLoggerBuilder.exe
"C:\Users\Admin\Desktop\#keyloggers\TotalLoggerBuilder.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SendNotifyMessage
PID:4604

C:\Users\Admin\Desktop\#keyloggers\Syslogger Builder.exe
"C:\Users\Admin\Desktop\#keyloggers\Syslogger Builder.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3720

C:\Users\Admin\Desktop\#keyloggers\TotalLoggerBuilder.exe
"C:\Users\Admin\Desktop\#keyloggers\TotalLoggerBuilder.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:5540

C:\Users\Admin\Desktop\#keyloggers\TotalLoggerBuilder.exe
"C:\Users\Admin\Desktop\#keyloggers\TotalLoggerBuilder.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:4664

C:\Users\Admin\Desktop\#keyloggers\Silent Keylogger v1.6 Public Version By BUNNN.exe
"C:\Users\Admin\Desktop\#keyloggers\Silent Keylogger v1.6 Public Version By BUNNN.exe"
2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:5432

C:\Users\Admin\Desktop\#keyloggers\RinLogger.exe
"C:\Users\Admin\Desktop\#keyloggers\RinLogger.exe"
2⤵
- Executes dropped EXE
PID:4524

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 1544
3⤵
PID:3332

C:\Users\Admin\Desktop\#keyloggers\RinLogger.exe
"C:\Users\Admin\Desktop\#keyloggers\RinLogger.exe"
2⤵
- Executes dropped EXE
PID:5664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3612

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3808

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3896

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3960

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4052

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3472

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:592

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3884

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4660

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:6116

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4824

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5892

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4920

C:\Windows\system32\WerFault.exe
"C:\Windows\system32\WerFault.exe" -k -lc NDIS NDIS-20240423-1738.dmp
1⤵
PID:5804

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4240

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3644

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4864

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3524

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
1⤵
PID:2792

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools