glupteba | 64dc2b5958fe37dd9733928c156e0c75ab544e2e0169f9f796c3f3db809bcbe5

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Firukumyco.exe

Deletes itself 1 IoCs

pid	Process
3048	Process not Found

Loads dropped DLL 23 IoCs

pid	Process
928	toolspab2 (13).exe
3672	18E8.exe
3032	8495.tmp
4132	I-Record.exe
4132	I-Record.exe
4132	I-Record.exe
4132	I-Record.exe
4132	I-Record.exe
4132	I-Record.exe
4132	I-Record.exe
4132	I-Record.exe
5800	PING.EXE
5800	PING.EXE
2144	toolspab1.exe
5192	rundll32.exe
5780	build2.exe
5780	build2.exe
4824	jtcuwff
6232	aicuwff
4308	jtcuwff
4324	aicuwff
6020	jtcuwff
852	aicuwff

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1716	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b7ad1122-5de5-4669-90c0-a4b343a46a5b\\7263.exe\" --AutoStart"	7263.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\MSBuild\\Losigaerequ.exe\""	1075474_ah_hot_iconçè_)))_.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\dhbevlux = "\"C:\\Users\\Admin\\vuubsors.exe\""	98FA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8204.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 14 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
152	api.2ip.ua
359	api.2ip.ua
151	api.2ip.ua
507	api.2ip.ua
602	api.2ip.ua
113	api.2ip.ua
173	ip-api.com
393	api.2ip.ua
544	api.2ip.ua
657	api.2ip.ua
112	api.2ip.ua
362	api.2ip.ua
545	api.2ip.ua
360	api.2ip.ua

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
5800	PING.EXE

Suspicious use of SetThreadContext 15 IoCs

description	pid	Process	procid_target
PID 4056 set thread context of 928	4056	toolspab2 (13).exe	78
PID 3808 set thread context of 4080	3808	7263.exe	95
PID 4016 set thread context of 4192	4016	7263.exe	128
PID 5324 set thread context of 5780	5324	build2.exe	181
PID 6016 set thread context of 2144	6016	toolspab1.exe	182
PID 412 set thread context of 3084	412	svchost.exe	185
PID 6292 set thread context of 6696	6292	7263.exe	216
PID 6884 set thread context of 6232	6884	aicuwff	220
PID 1816 set thread context of 6296	1816	7263.exe	223
PID 4360 set thread context of 7004	4360	7263.exe	232
PID 6504 set thread context of 4324	6504	aicuwff	235
PID 5880 set thread context of 6828	5880	7263.exe	240
PID 6360 set thread context of 5912	6360	7263.exe	245
PID 5560 set thread context of 852	5560	aicuwff	250
PID 3744 set thread context of 5052	3744	7263.exe	253

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\i-record\avfilter-2.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\postproc-52.dll	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-6U9M2.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-32PM7.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\unins000.dat	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\avdevice-53.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\avformat-53.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\swresample-0.dll	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-DCA4I.tmp	irecord.tmp
File created	C:\Program Files (x86)\MSBuild\Losigaerequ.exe	1075474_ah_hot_iconçè_)))_.exe
File created	C:\Program Files (x86)\i-record\is-BED45.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-UTUIP.tmp	irecord.tmp
File created	C:\Program Files\Google\XXAUHEAEUZ\irecord.exe	1075474_ah_hot_iconçè_)))_.exe
File opened for modification	C:\Program Files (x86)\i-record\avcodec-53.dll	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-3CQH0.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-Q1URF.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-876JV.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\I-Record.exe	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-QEO0G.tmp	irecord.tmp
File created	C:\Program Files\Google\XXAUHEAEUZ\irecord.exe.config	1075474_ah_hot_iconçè_)))_.exe
File opened for modification	C:\Program Files (x86)\i-record\AForge.Video.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\swscale-2.dll	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-GP75N.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-3EIV8.tmp	irecord.tmp
File created	C:\Program Files (x86)\MSBuild\Losigaerequ.exe.config	1075474_ah_hot_iconçè_)))_.exe
File opened for modification	C:\Program Files (x86)\i-record\AForge.Video.FFMPEG.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\avutil-51.dll	irecord.tmp
File created	C:\Program Files (x86)\i-record\unins000.dat	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-H53PQ.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-T47LL.tmp	irecord.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4200	1808	WerFault.exe	174
5044	2068	WerFault.exe	127
4272	5068	WerFault.exe	190
5264	36	WerFault.exe	210

Checks SCSI registry key(s) 3 TTPs 27 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jtcuwff
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	18E8.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jtcuwff
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jtcuwff
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aicuwff
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aicuwff
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aicuwff
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab2 (13).exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jtcuwff
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jtcuwff
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jtcuwff
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jtcuwff
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jtcuwff
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aicuwff
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aicuwff
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aicuwff
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab2 (13).exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	18E8.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aicuwff
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aicuwff
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aicuwff
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jtcuwff
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab2 (13).exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	18E8.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
6296	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2632	taskkill.exe
5132	taskkill.exe
2696	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	9659.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	9659.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	9659.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	9659.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	9659.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	9659.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	9659.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	9659.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	9659.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	9659.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaVRP = "Microsoft Zira Mobile - English (United States)"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaVRP = "11.0.2016.0129"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaVRP = "Microsoft Speech HW Voice Activation - English (United States)"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGLockdown	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{QJ2559JN-BF7A-LM2A-20M4-JBF9M43Q7G3S}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\myactualblog.com\NumberOfSu = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaVRP = "6;18;22"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaVRP = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\AI041033"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\google.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{IY7880QH-GQ0R-SG6F-75Z5-PGQ2S76C3D6F}\650478DC7424C37C\2 = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\myactualblog.com\ = "28"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaVRP = "{14E74C62-DC97-43B0-8F2F-581496A65D60}"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "913"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\google.com\Total = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\acnav.online\ = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 301bd569d72dd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaVRP = "Traditional Chinese Phone Converter"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaVRP = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaVRP	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.acnav.online	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{IY7880QH-GQ0R-SG6F-75Z5-PGQ2S76C3D6F}\650478DC7424C37C	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaVRP = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\myactualblog.com\ = "890"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompletedV = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	7263.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	7263.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	1075474_ah_hot_iconçè_)))_.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703085c000000010000000400000000080000200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1075474_ah_hot_iconçè_)))_.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
6000	PING.EXE
4312	PING.EXE
3032	PING.EXE
5800	PING.EXE
1128	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
928	toolspab2 (13).exe
928	toolspab2 (13).exe
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3048	Process not Found

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
928	toolspab2 (13).exe
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3672	18E8.exe
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3956	explorer.exe
3956	explorer.exe
3576	explorer.exe
3576	explorer.exe
3816	explorer.exe
3816	explorer.exe
3956	explorer.exe
3956	explorer.exe
3576	explorer.exe
3576	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
2144	toolspab1.exe
3576	explorer.exe
3576	explorer.exe
3956	explorer.exe
3956	explorer.exe
4556	MicrosoftEdgeCP.exe
4556	MicrosoftEdgeCP.exe
3816	explorer.exe
3816	explorer.exe
3576	explorer.exe
3576	explorer.exe
3956	explorer.exe
3956	explorer.exe
4556	MicrosoftEdgeCP.exe
4556	MicrosoftEdgeCP.exe
3816	explorer.exe
3816	explorer.exe
3576	explorer.exe
3576	explorer.exe
3956	explorer.exe
3956	explorer.exe
3576	explorer.exe
3576	explorer.exe
3816	explorer.exe
3816	explorer.exe
3956	explorer.exe
3956	explorer.exe
4556	MicrosoftEdgeCP.exe
4556	MicrosoftEdgeCP.exe
4824	jtcuwff

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3048	Process not Found
Token: SeCreatePagefilePrivilege	3048	Process not Found
Token: SeShutdownPrivilege	3048	Process not Found
Token: SeCreatePagefilePrivilege	3048	Process not Found
Token: SeShutdownPrivilege	3048	Process not Found
Token: SeCreatePagefilePrivilege	3048	Process not Found
Token: SeManageVolumePrivilege	576	8204.exe
Token: SeShutdownPrivilege	3048	Process not Found
Token: SeCreatePagefilePrivilege	3048	Process not Found
Token: SeDebugPrivilege	1796	1075474_ah_hot_iconçè_)))_.exe
Token: SeManageVolumePrivilege	576	8204.exe
Token: SeCreateTokenPrivilege	1132	A34C.exe
Token: SeAssignPrimaryTokenPrivilege	1132	A34C.exe
Token: SeLockMemoryPrivilege	1132	A34C.exe
Token: SeIncreaseQuotaPrivilege	1132	A34C.exe
Token: SeMachineAccountPrivilege	1132	A34C.exe
Token: SeTcbPrivilege	1132	A34C.exe
Token: SeSecurityPrivilege	1132	A34C.exe
Token: SeTakeOwnershipPrivilege	1132	A34C.exe
Token: SeLoadDriverPrivilege	1132	A34C.exe
Token: SeSystemProfilePrivilege	1132	A34C.exe
Token: SeSystemtimePrivilege	1132	A34C.exe
Token: SeProfSingleProcessPrivilege	1132	A34C.exe
Token: SeIncBasePriorityPrivilege	1132	A34C.exe
Token: SeCreatePagefilePrivilege	1132	A34C.exe
Token: SeCreatePermanentPrivilege	1132	A34C.exe
Token: SeBackupPrivilege	1132	A34C.exe
Token: SeRestorePrivilege	1132	A34C.exe
Token: SeShutdownPrivilege	1132	A34C.exe
Token: SeDebugPrivilege	1132	A34C.exe
Token: SeAuditPrivilege	1132	A34C.exe
Token: SeSystemEnvironmentPrivilege	1132	A34C.exe
Token: SeChangeNotifyPrivilege	1132	A34C.exe
Token: SeRemoteShutdownPrivilege	1132	A34C.exe
Token: SeUndockPrivilege	1132	A34C.exe
Token: SeSyncAgentPrivilege	1132	A34C.exe
Token: SeEnableDelegationPrivilege	1132	A34C.exe
Token: SeManageVolumePrivilege	1132	A34C.exe
Token: SeImpersonatePrivilege	1132	A34C.exe
Token: SeCreateGlobalPrivilege	1132	A34C.exe
Token: 31	1132	A34C.exe
Token: 32	1132	A34C.exe
Token: 33	1132	A34C.exe
Token: 34	1132	A34C.exe
Token: 35	1132	A34C.exe
Token: SeShutdownPrivilege	3048	Process not Found
Token: SeCreatePagefilePrivilege	3048	Process not Found
Token: SeShutdownPrivilege	3048	Process not Found
Token: SeCreatePagefilePrivilege	3048	Process not Found
Token: SeShutdownPrivilege	3048	Process not Found
Token: SeCreatePagefilePrivilege	3048	Process not Found
Token: SeShutdownPrivilege	3048	Process not Found
Token: SeCreatePagefilePrivilege	3048	Process not Found
Token: SeShutdownPrivilege	3048	Process not Found
Token: SeCreatePagefilePrivilege	3048	Process not Found
Token: SeShutdownPrivilege	3048	Process not Found
Token: SeCreatePagefilePrivilege	3048	Process not Found
Token: SeShutdownPrivilege	3048	Process not Found
Token: SeCreatePagefilePrivilege	3048	Process not Found
Token: SeShutdownPrivilege	3048	Process not Found
Token: SeCreatePagefilePrivilege	3048	Process not Found
Token: SeShutdownPrivilege	3048	Process not Found
Token: SeCreatePagefilePrivilege	3048	Process not Found
Token: SeShutdownPrivilege	3048	Process not Found

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2240	irecord.tmp

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3048	Process not Found
4120	MicrosoftEdge.exe
4556	MicrosoftEdgeCP.exe
4556	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 928	4056	toolspab2 (13).exe	78
PID 4056 wrote to memory of 928	4056	toolspab2 (13).exe	78
PID 4056 wrote to memory of 928	4056	toolspab2 (13).exe	78
PID 4056 wrote to memory of 928	4056	toolspab2 (13).exe	78
PID 4056 wrote to memory of 928	4056	toolspab2 (13).exe	78
PID 4056 wrote to memory of 928	4056	toolspab2 (13).exe	78
PID 3048 wrote to memory of 3672	3048	Process not Found	80
PID 3048 wrote to memory of 3672	3048	Process not Found	80
PID 3048 wrote to memory of 3672	3048	Process not Found	80
PID 3048 wrote to memory of 4004	3048	Process not Found	81
PID 3048 wrote to memory of 4004	3048	Process not Found	81
PID 3048 wrote to memory of 4004	3048	Process not Found	81
PID 3048 wrote to memory of 4004	3048	Process not Found	81
PID 3048 wrote to memory of 2140	3048	Process not Found	82
PID 3048 wrote to memory of 2140	3048	Process not Found	82
PID 3048 wrote to memory of 2140	3048	Process not Found	82
PID 3048 wrote to memory of 2428	3048	Process not Found	83
PID 3048 wrote to memory of 2428	3048	Process not Found	83
PID 3048 wrote to memory of 2428	3048	Process not Found	83
PID 3048 wrote to memory of 2428	3048	Process not Found	83
PID 3048 wrote to memory of 3956	3048	Process not Found	84
PID 3048 wrote to memory of 3956	3048	Process not Found	84
PID 3048 wrote to memory of 3956	3048	Process not Found	84
PID 3048 wrote to memory of 2100	3048	Process not Found	85
PID 3048 wrote to memory of 2100	3048	Process not Found	85
PID 3048 wrote to memory of 2100	3048	Process not Found	85
PID 3048 wrote to memory of 2100	3048	Process not Found	85
PID 3048 wrote to memory of 3816	3048	Process not Found	86
PID 3048 wrote to memory of 3816	3048	Process not Found	86
PID 3048 wrote to memory of 3816	3048	Process not Found	86
PID 3048 wrote to memory of 4056	3048	Process not Found	87
PID 3048 wrote to memory of 4056	3048	Process not Found	87
PID 3048 wrote to memory of 4056	3048	Process not Found	87
PID 3048 wrote to memory of 4056	3048	Process not Found	87
PID 3048 wrote to memory of 3576	3048	Process not Found	88
PID 3048 wrote to memory of 3576	3048	Process not Found	88
PID 3048 wrote to memory of 3576	3048	Process not Found	88
PID 3048 wrote to memory of 2660	3048	Process not Found	89
PID 3048 wrote to memory of 2660	3048	Process not Found	89
PID 3048 wrote to memory of 2660	3048	Process not Found	89
PID 3048 wrote to memory of 2660	3048	Process not Found	89
PID 3048 wrote to memory of 3808	3048	Process not Found	90
PID 3048 wrote to memory of 3808	3048	Process not Found	90
PID 3048 wrote to memory of 3808	3048	Process not Found	90
PID 3048 wrote to memory of 576	3048	Process not Found	91
PID 3048 wrote to memory of 576	3048	Process not Found	91
PID 3048 wrote to memory of 576	3048	Process not Found	91
PID 3048 wrote to memory of 484	3048	Process not Found	92
PID 3048 wrote to memory of 484	3048	Process not Found	92
PID 3048 wrote to memory of 484	3048	Process not Found	92
PID 484 wrote to memory of 3032	484	8495.exe	93
PID 484 wrote to memory of 3032	484	8495.exe	93
PID 484 wrote to memory of 3032	484	8495.exe	93
PID 3032 wrote to memory of 1796	3032	8495.tmp	94
PID 3032 wrote to memory of 1796	3032	8495.tmp	94
PID 3808 wrote to memory of 4080	3808	7263.exe	95
PID 3808 wrote to memory of 4080	3808	7263.exe	95
PID 3808 wrote to memory of 4080	3808	7263.exe	95
PID 3808 wrote to memory of 4080	3808	7263.exe	95
PID 3808 wrote to memory of 4080	3808	7263.exe	95
PID 3808 wrote to memory of 4080	3808	7263.exe	95
PID 3808 wrote to memory of 4080	3808	7263.exe	95
PID 3808 wrote to memory of 4080	3808	7263.exe	95
PID 3808 wrote to memory of 4080	3808	7263.exe	95

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:344
- C:\Users\Admin\AppData\Local\b7ad1122-5de5-4669-90c0-a4b343a46a5b\7263.exe
  C:\Users\Admin\AppData\Local\b7ad1122-5de5-4669-90c0-a4b343a46a5b\7263.exe --Task
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:6292
- - C:\Users\Admin\AppData\Local\b7ad1122-5de5-4669-90c0-a4b343a46a5b\7263.exe
    C:\Users\Admin\AppData\Local\b7ad1122-5de5-4669-90c0-a4b343a46a5b\7263.exe --Task
    3⤵
    - Executes dropped EXE
    PID:6696
- C:\Users\Admin\AppData\Roaming\jtcuwff
  C:\Users\Admin\AppData\Roaming\jtcuwff
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:4824
- C:\Users\Admin\AppData\Roaming\aicuwff
  C:\Users\Admin\AppData\Roaming\aicuwff
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:6884
- - C:\Users\Admin\AppData\Roaming\aicuwff
    C:\Users\Admin\AppData\Roaming\aicuwff
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks SCSI registry key(s)
    PID:6232
- C:\Users\Admin\AppData\Local\b7ad1122-5de5-4669-90c0-a4b343a46a5b\7263.exe
  C:\Users\Admin\AppData\Local\b7ad1122-5de5-4669-90c0-a4b343a46a5b\7263.exe --Task
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1816
- - C:\Users\Admin\AppData\Local\b7ad1122-5de5-4669-90c0-a4b343a46a5b\7263.exe
    C:\Users\Admin\AppData\Local\b7ad1122-5de5-4669-90c0-a4b343a46a5b\7263.exe --Task
    3⤵
    - Executes dropped EXE
    PID:6296
- C:\Users\Admin\AppData\Local\b7ad1122-5de5-4669-90c0-a4b343a46a5b\7263.exe
  C:\Users\Admin\AppData\Local\b7ad1122-5de5-4669-90c0-a4b343a46a5b\7263.exe --Task
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4360
- - C:\Users\Admin\AppData\Local\b7ad1122-5de5-4669-90c0-a4b343a46a5b\7263.exe
    C:\Users\Admin\AppData\Local\b7ad1122-5de5-4669-90c0-a4b343a46a5b\7263.exe --Task
    3⤵
    - Executes dropped EXE
    PID:7004
- C:\Users\Admin\AppData\Roaming\jtcuwff
  C:\Users\Admin\AppData\Roaming\jtcuwff
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  PID:4308
- C:\Users\Admin\AppData\Roaming\aicuwff
  C:\Users\Admin\AppData\Roaming\aicuwff
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:6504
- - C:\Users\Admin\AppData\Roaming\aicuwff
    C:\Users\Admin\AppData\Roaming\aicuwff
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks SCSI registry key(s)
    PID:4324
- C:\Users\Admin\AppData\Local\b7ad1122-5de5-4669-90c0-a4b343a46a5b\7263.exe
  C:\Users\Admin\AppData\Local\b7ad1122-5de5-4669-90c0-a4b343a46a5b\7263.exe --Task
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5880
- - C:\Users\Admin\AppData\Local\b7ad1122-5de5-4669-90c0-a4b343a46a5b\7263.exe
    C:\Users\Admin\AppData\Local\b7ad1122-5de5-4669-90c0-a4b343a46a5b\7263.exe --Task
    3⤵
    - Executes dropped EXE
    PID:6828
- C:\Users\Admin\AppData\Local\b7ad1122-5de5-4669-90c0-a4b343a46a5b\7263.exe
  C:\Users\Admin\AppData\Local\b7ad1122-5de5-4669-90c0-a4b343a46a5b\7263.exe --Task
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:6360
- - C:\Users\Admin\AppData\Local\b7ad1122-5de5-4669-90c0-a4b343a46a5b\7263.exe
    C:\Users\Admin\AppData\Local\b7ad1122-5de5-4669-90c0-a4b343a46a5b\7263.exe --Task
    3⤵
    - Executes dropped EXE
    PID:5912
- C:\Users\Admin\AppData\Roaming\jtcuwff
  C:\Users\Admin\AppData\Roaming\jtcuwff
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  PID:6020
- C:\Users\Admin\AppData\Roaming\aicuwff
  C:\Users\Admin\AppData\Roaming\aicuwff
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5560
- - C:\Users\Admin\AppData\Roaming\aicuwff
    C:\Users\Admin\AppData\Roaming\aicuwff
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks SCSI registry key(s)
    PID:852
- C:\Users\Admin\AppData\Local\b7ad1122-5de5-4669-90c0-a4b343a46a5b\7263.exe
  C:\Users\Admin\AppData\Local\b7ad1122-5de5-4669-90c0-a4b343a46a5b\7263.exe --Task
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3744
- - C:\Users\Admin\AppData\Local\b7ad1122-5de5-4669-90c0-a4b343a46a5b\7263.exe
    C:\Users\Admin\AppData\Local\b7ad1122-5de5-4669-90c0-a4b343a46a5b\7263.exe --Task
    3⤵
    - Executes dropped EXE
    PID:5052

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1164

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2368

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2604

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2712

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
- Modifies registry class
PID:2724

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2380

C:\Users\Admin\AppData\Local\Temp\toolspab2 (13).exe
"C:\Users\Admin\AppData\Local\Temp\toolspab2 (13).exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Users\Admin\AppData\Local\Temp\toolspab2 (13).exe
  "C:\Users\Admin\AppData\Local\Temp\toolspab2 (13).exe"
  2⤵
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:928

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1924

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1380

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1368

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1112

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:996

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
PID:412
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:3084

C:\Users\Admin\AppData\Local\Temp\18E8.exe
C:\Users\Admin\AppData\Local\Temp\18E8.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3672

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4004

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2140

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2428

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3956

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2100

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3816

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4056

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3576

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2660

C:\Users\Admin\AppData\Local\Temp\7263.exe
C:\Users\Admin\AppData\Local\Temp\7263.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Users\Admin\AppData\Local\Temp\7263.exe
  C:\Users\Admin\AppData\Local\Temp\7263.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies system certificate store
  PID:4080
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\b7ad1122-5de5-4669-90c0-a4b343a46a5b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:1716
- - C:\Users\Admin\AppData\Local\Temp\7263.exe
    "C:\Users\Admin\AppData\Local\Temp\7263.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4016
  - - C:\Users\Admin\AppData\Local\Temp\7263.exe
      "C:\Users\Admin\AppData\Local\Temp\7263.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Modifies extensions of user files
      PID:4192
    - - C:\Users\Admin\AppData\Local\a2d66298-916d-433d-87c6-f4cec31f9906\build2.exe
        
        "C:\Users\Admin\AppData\Local\a2d66298-916d-433d-87c6-f4cec31f9906\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5324
      - C:\Users\Admin\AppData\Local\a2d66298-916d-433d-87c6-f4cec31f9906\build2.exe
        
        "C:\Users\Admin\AppData\Local\a2d66298-916d-433d-87c6-f4cec31f9906\build2.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:5780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\a2d66298-916d-433d-87c6-f4cec31f9906\build2.exe" & del C:\ProgramData\*.dll & exit
        7⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im build2.exe /f
        8⤵
        Kills process with taskkill
        
        PID:2696
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:6296

C:\Users\Admin\AppData\Local\Temp\8204.exe
C:\Users\Admin\AppData\Local\Temp\8204.exe
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:576

C:\Users\Admin\AppData\Local\Temp\8495.exe
C:\Users\Admin\AppData\Local\Temp\8495.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:484
- C:\Users\Admin\AppData\Local\Temp\is-TOPLN.tmp\8495.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-TOPLN.tmp\8495.tmp" /SL5="$501D0,506127,422400,C:\Users\Admin\AppData\Local\Temp\8495.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Users\Admin\AppData\Local\Temp\is-68I7T.tmp\1075474_ah_hot_iconçè_)))_.exe
    "C:\Users\Admin\AppData\Local\Temp\is-68I7T.tmp\1075474_ah_hot_iconçè_)))_.exe" /S /UID=rec7
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    PID:1796
  - - C:\Program Files\Google\XXAUHEAEUZ\irecord.exe
      "C:\Program Files\Google\XXAUHEAEUZ\irecord.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      PID:1968
    - - C:\Users\Admin\AppData\Local\Temp\is-FJ7BT.tmp\irecord.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FJ7BT.tmp\irecord.tmp" /SL5="$B0054,5808768,66560,C:\Program Files\Google\XXAUHEAEUZ\irecord.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:2240
      - C:\Program Files (x86)\i-record\I-Record.exe
        
        "C:\Program Files (x86)\i-record\I-Record.exe" -silent -desktopShortcut -programMenu
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4132
  - - C:\Users\Admin\AppData\Local\Temp\8c-6fee6-74b-688bd-579e0c84b3944\Firukumyco.exe
      "C:\Users\Admin\AppData\Local\Temp\8c-6fee6-74b-688bd-579e0c84b3944\Firukumyco.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      PID:1364
  - - C:\Users\Admin\AppData\Local\Temp\82-0ee01-857-f97b1-048bb1f0a8cb6\Fylaedopidi.exe
      "C:\Users\Admin\AppData\Local\Temp\82-0ee01-857-f97b1-048bb1f0a8cb6\Fylaedopidi.exe"
      4⤵
      Executes dropped EXE
      PID:1552
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zcu5md5g.e3b\GcleanerEU.exe /eufive & exit
        5⤵
        
        PID:3108
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pzfcj1tc.i21\installer.exe /qn CAMPAIGN="654" & exit
        5⤵
        
        PID:4012
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\30emjo4k.i4q\ufgaa.exe & exit
        5⤵
        
        PID:5056
      - C:\Users\Admin\AppData\Local\Temp\30emjo4k.i4q\ufgaa.exe
        
        C:\Users\Admin\AppData\Local\Temp\30emjo4k.i4q\ufgaa.exe
        6⤵
        Executes dropped EXE
        
        PID:5196
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:5552
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:5980
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:4296
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bvb55nnr.tks\google-game.exe & exit
        5⤵
        
        PID:5796
      - C:\Users\Admin\AppData\Local\Temp\bvb55nnr.tks\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\bvb55nnr.tks\google-game.exe
        6⤵
        Executes dropped EXE
        
        PID:6032
        
        C:\Users\Admin\AppData\Local\Temp\bvb55nnr.tks\google-game.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bvb55nnr.tks\google-game.exe" -a
        7⤵
        Executes dropped EXE
        
        PID:3808
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jqis5zvm.iu4\GcleanerWW.exe /mixone & exit
        5⤵
        
        PID:768
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mlruqehz.gfi\toolspab1.exe & exit
        5⤵
        
        PID:4536
      - C:\Users\Admin\AppData\Local\Temp\mlruqehz.gfi\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\mlruqehz.gfi\toolspab1.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6016
        
        C:\Users\Admin\AppData\Local\Temp\mlruqehz.gfi\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\mlruqehz.gfi\toolspab1.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:2144

C:\Users\Admin\AppData\Local\Temp\9659.exe
C:\Users\Admin\AppData\Local\Temp\9659.exe
1⤵
- Executes dropped EXE
PID:1816
- C:\Users\Admin\AppData\Local\Temp\9659.exe
  "C:\Users\Admin\AppData\Local\Temp\9659.exe"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:6872

C:\Users\Admin\AppData\Local\Temp\98FA.exe
C:\Users\Admin\AppData\Local\Temp\98FA.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3532
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\swqtkajm\
  2⤵
  PID:8
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hcyfrbpe.exe" C:\Windows\SysWOW64\swqtkajm\
  2⤵
  PID:364
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create swqtkajm binPath= "C:\Windows\SysWOW64\swqtkajm\hcyfrbpe.exe /d\"C:\Users\Admin\AppData\Local\Temp\98FA.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  PID:736
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description swqtkajm "wifi internet conection"
  2⤵
  PID:4216
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start swqtkajm
  2⤵
  PID:4396
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  PID:4516
- C:\Users\Admin\vuubsors.exe
  "C:\Users\Admin\vuubsors.exe" /d"C:\Users\Admin\AppData\Local\Temp\98FA.exe"
  2⤵
  - Executes dropped EXE
  PID:4532
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nielxhvk.exe" C:\Windows\SysWOW64\swqtkajm\
    3⤵
    PID:4504
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" config swqtkajm binPath= "C:\Windows\SysWOW64\swqtkajm\nielxhvk.exe /d\"C:\Users\Admin\vuubsors.exe\""
    3⤵
    PID:4912
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" start swqtkajm
    3⤵
    PID:800
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1484.bat" "
    3⤵
    PID:5256
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:6000
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:4312
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:3032
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Loads dropped DLL
      Suspicious use of NtCreateThreadExHideFromDebugger
      Runs ping.exe
      PID:5800
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1128

C:\Users\Admin\AppData\Local\Temp\A34C.exe
C:\Users\Admin\AppData\Local\Temp\A34C.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1132
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  PID:4904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    PID:5132

C:\Users\Admin\AppData\Local\Temp\B3B8.exe
C:\Users\Admin\AppData\Local\Temp\B3B8.exe
1⤵
- Executes dropped EXE
PID:2208

C:\Users\Admin\AppData\Local\Temp\C1C2.exe
C:\Users\Admin\AppData\Local\Temp\C1C2.exe
1⤵
- Executes dropped EXE
PID:4636

C:\Users\Admin\AppData\Local\Temp\CA7E.exe
C:\Users\Admin\AppData\Local\Temp\CA7E.exe
1⤵
- Executes dropped EXE
PID:4796

C:\Users\Admin\AppData\Local\Temp\D397.exe
C:\Users\Admin\AppData\Local\Temp\D397.exe
1⤵
PID:4904
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" VbsCript: clOSE (CrEAteOBJect ("WscRIPt.ShELL" ). rUN("CMd.EXE /q /c Copy /Y ""C:\Users\Admin\AppData\Local\Temp\D397.exe"" ..\IpDIhVj3g.ExE && STARt ..\IpDIhVj3g.EXe /PyPXDDGMMiEeTQRVIP2SQdwWi2M& IF """"=="""" for %s IN ( ""C:\Users\Admin\AppData\Local\Temp\D397.exe"") do taskkill -f /Im ""%~nxs"" " ,0 , truE ))
  2⤵
  PID:5068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /q /c Copy /Y "C:\Users\Admin\AppData\Local\Temp\D397.exe" ..\IpDIhVj3g.ExE &&STARt ..\IpDIhVj3g.EXe /PyPXDDGMMiEeTQRVIP2SQdwWi2M&IF ""=="" for %s IN ( "C:\Users\Admin\AppData\Local\Temp\D397.exe") do taskkill -f /Im "%~nxs"
    3⤵
    PID:4260
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:736
  - - C:\Users\Admin\AppData\Local\Temp\IpDIhVj3g.ExE
      ..\IpDIhVj3g.EXe /PyPXDDGMMiEeTQRVIP2SQdwWi2M
      4⤵
      Executes dropped EXE
      PID:484
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCript: clOSE (CrEAteOBJect ("WscRIPt.ShELL" ). rUN("CMd.EXE /q /c Copy /Y ""C:\Users\Admin\AppData\Local\Temp\IpDIhVj3g.ExE"" ..\IpDIhVj3g.ExE && STARt ..\IpDIhVj3g.EXe /PyPXDDGMMiEeTQRVIP2SQdwWi2M& IF ""/PyPXDDGMMiEeTQRVIP2SQdwWi2M""=="""" for %s IN ( ""C:\Users\Admin\AppData\Local\Temp\IpDIhVj3g.ExE"") do taskkill -f /Im ""%~nxs"" " ,0 , truE ))
        5⤵
        
        PID:5364
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /c Copy /Y "C:\Users\Admin\AppData\Local\Temp\IpDIhVj3g.ExE" ..\IpDIhVj3g.ExE &&STARt ..\IpDIhVj3g.EXe /PyPXDDGMMiEeTQRVIP2SQdwWi2M&IF "/PyPXDDGMMiEeTQRVIP2SQdwWi2M"=="" for %s IN ( "C:\Users\Admin\AppData\Local\Temp\IpDIhVj3g.ExE") do taskkill -f /Im "%~nxs"
        6⤵
        
        PID:5632
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBSCrIpT: cLose (CreAteObject( "wSCrIPt.ShelL"). RUN( "cMd /Q /C ecHo 6C:\Users\Admin\AppData\Local\TempZwG> QEFuCrB.w &ECHO | SeT /p = ""MZ"" > 0CZKPbA.~i &copy /Y /b 0CZKPBA.~i +HzMuGQn.ebg +3KLPjZ48.1 + JBBP.aZ+jjD1CZ.Z +ME53U.RD + G8HVV~AW.A + QEFuCRB.w ..\LPHzR4.XZ &sTaRt regsvr32.exe ..\LphZr4.XZ /U -S & dEl /Q * " ,0, tRuE ) )
        5⤵
        
        PID:6044
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /C ecHo 6C:\Users\Admin\AppData\Local\TempZwG> QEFuCrB.w &ECHO | SeT /p = "MZ" >0CZKPbA.~i &copy /Y /b 0CZKPBA.~i+HzMuGQn.ebg +3KLPjZ48.1 + JBBP.aZ+jjD1CZ.Z+ME53U.RD +G8HVV~AW.A + QEFuCRB.w ..\LPHzR4.XZ&sTaRt regsvr32.exe ..\LphZr4.XZ /U -S&dEl /Q *
        6⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO "
        7⤵
        Executes dropped EXE
        
        PID:5552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>0CZKPbA.~i"
        7⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe ..\LphZr4.XZ /U -S
        7⤵
        
        PID:5800
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill -f /Im "D397.exe"
      4⤵
      Kills process with taskkill
      PID:2632

C:\Users\Admin\AppData\Local\Temp\DBE5.exe
C:\Users\Admin\AppData\Local\Temp\DBE5.exe
1⤵
- Executes dropped EXE
PID:2068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 1412
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  PID:5044

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4120

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4892

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4556

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1808
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1808 -s 1372
  2⤵
  - Program crash
  PID:4200

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:5348
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  - Loads dropped DLL
  PID:5192

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5068
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5068 -s 1232
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:4272

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4076

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s LicenseManager
1⤵
- Executes dropped EXE
PID:4904

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:6840

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3032

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:36
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 36 -s 2004
  2⤵
  - Program crash
  PID:5264

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:2744

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5608

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6976

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4716

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5604

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5412

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:676

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5404

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6700

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4164

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6248

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery