cryptolocker | hxxps://github[.]com/ytisf/theZoo/blob/master/malware/Binaries/

Modify Registry

Processes:

procexp64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	procexp64.exe

Executes dropped EXE 6 IoCs

Processes:

procexp64.exe{34184A33-0407-212E-3320-09040709E2C2}.exe{34184A33-0407-212E-3320-09040709E2C2}.exe{34184A33-0407-212E-3320-09040709E2C2}.exe{34184A33-0407-212E-3320-09040709E2C2}.exe{34184A33-0407-212E-3320-09040709E2C2}.exe

pid	process
1260	procexp64.exe
4944	{34184A33-0407-212E-3320-09040709E2C2}.exe
3900	{34184A33-0407-212E-3320-09040709E2C2}.exe
2360	{34184A33-0407-212E-3320-09040709E2C2}.exe
1276	{34184A33-0407-212E-3320-09040709E2C2}.exe
4188	{34184A33-0407-212E-3320-09040709E2C2}.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

{34184A33-0407-212E-3320-09040709E2C2}.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

procexp64.exe

description	ioc	process
File opened (read-only)	\??\O:	procexp64.exe
File opened (read-only)	\??\Y:	procexp64.exe
File opened (read-only)	\??\G:	procexp64.exe
File opened (read-only)	\??\H:	procexp64.exe
File opened (read-only)	\??\J:	procexp64.exe
File opened (read-only)	\??\X:	procexp64.exe
File opened (read-only)	\??\Z:	procexp64.exe
File opened (read-only)	\??\P:	procexp64.exe
File opened (read-only)	\??\V:	procexp64.exe
File opened (read-only)	\??\W:	procexp64.exe
File opened (read-only)	\??\L:	procexp64.exe
File opened (read-only)	\??\M:	procexp64.exe
File opened (read-only)	\??\N:	procexp64.exe
File opened (read-only)	\??\T:	procexp64.exe
File opened (read-only)	\??\A:	procexp64.exe
File opened (read-only)	\??\B:	procexp64.exe
File opened (read-only)	\??\E:	procexp64.exe
File opened (read-only)	\??\R:	procexp64.exe
File opened (read-only)	\??\S:	procexp64.exe
File opened (read-only)	\??\U:	procexp64.exe
File opened (read-only)	\??\I:	procexp64.exe
File opened (read-only)	\??\K:	procexp64.exe
File opened (read-only)	\??\Q:	procexp64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Detected potential entity reuse from brand microsoft.
phishing microsoft

Drops file in System32 directory 11 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

firefox.exeprocexp64.exeWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	procexp64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	procexp64.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exeWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4022029615"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31061327"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4022029615"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 409abbf34ff5d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d08fa4f34ff5d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1AAB800E-6143-11EE-9359-66F797301216} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31061327"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000023945248a016ff4caf831eebccac29d8000000000200000000001066000000010000200000005406d3219bc1c3a83b01eedb00c3f7cf1b71afbd3ed7548f04458be416811460000000000e8000000002000020000000f94c33ca9e14ea9457ab54b9e31c7d315fe6e2363acb45340af81af047554a50200000008c5050ae4f4b3c329ef17f24e3a8d9163d0a52340449924264fb28d5476bc62b40000000a19792ec16fccbc740693816a58b75de534f0f77fe8c7bf046676e9325d0b11b6235b6b59ee200666b8069b3909f0b72b6bf2bc4dedb82ed05d0c0a5e628162e	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000023945248a016ff4caf831eebccac29d800000000020000000000106600000001000020000000b9988c65b1d590424e6864b81c9e6f3ba6150e0aed80b7e20cf74120e53c8a5e000000000e80000000020000200000007598a5d567509e4a2ffe300f2a8e72e7d0124c07374f90ea6c6df04d5abe3ee620000000a88fec30eb564a51407635d46cefcdc4274f7a36223a3fe248a154d33880b38440000000345d70f75faffc04b33575547e4c8c0ce2d735e2d91729a3a963e67b030cfde4638bb4a7933fed2c757e81cbc7dc4e399e2ccc21576da9d5ee110aa0b96f7e53	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133407381961335052"	chrome.exe

Modifies registry class 3 IoCs

Processes:

mspaint.exechrome.exemspaint.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	mspaint.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

procexp64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	procexp64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	procexp64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	procexp64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	procexp64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	procexp64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	procexp64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	procexp64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	procexp64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	procexp64.exe

Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

1868 regedit.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4148 WINWORD.EXE
4148 WINWORD.EXE

pid	process
1868	regedit.exe

pid	process
4148	WINWORD.EXE
4148	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exeprocexp64.exe

pid	process
1280	chrome.exe
1280	chrome.exe
4768	chrome.exe
4768	chrome.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

regedit.exeOpenWith.exe

pid process

1868 regedit.exe
1732 OpenWith.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

procexp64.exe

pid process

1260 procexp64.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

chrome.exe

pid process

1280 chrome.exe
1280 chrome.exe
1280 chrome.exe
1280 chrome.exe
1280 chrome.exe
1280 chrome.exe
1280 chrome.exe
1280 chrome.exe
1280 chrome.exe

pid	process
1868	regedit.exe
1732	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exeprocexp64.exe

pid	process
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exeprocexp64.exe

pid	process
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe

Suspicious use of SetWindowsHookEx 25 IoCs

Processes:

procexp64.exemspaint.exeOpenWith.exemspaint.exeOpenWith.exeWINWORD.EXEiexplore.exeIEXPLORE.EXEfirefox.exemspaint.exe

pid	process
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
1260	procexp64.exe
416	mspaint.exe
4760	OpenWith.exe
1836	mspaint.exe
1732	OpenWith.exe
4148	WINWORD.EXE
4148	WINWORD.EXE
4148	WINWORD.EXE
4148	WINWORD.EXE
4148	WINWORD.EXE
4148	WINWORD.EXE
4148	WINWORD.EXE
1260	procexp64.exe
2576	iexplore.exe
2576	iexplore.exe
3744	IEXPLORE.EXE
3744	IEXPLORE.EXE
3744	IEXPLORE.EXE
4940	firefox.exe
2052	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1280 wrote to memory of 2156	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 2156	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3264	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4500	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 4500	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3552	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3552	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3552	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3552	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3552	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3552	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3552	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3552	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3552	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3552	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3552	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3552	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3552	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3552	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3552	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3552	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3552	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3552	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3552	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3552	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3552	1280	chrome.exe	chrome.exe
PID 1280 wrote to memory of 3552	1280	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/ytisf/theZoo/blob/master/malware/Binaries/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc7ff9758,0x7ffdc7ff9768,0x7ffdc7ff9778
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=388 --field-trial-handle=1964,i,15614726641191412608,11597158393865881017,131072 /prefetch:2
  2⤵
  PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1904 --field-trial-handle=1964,i,15614726641191412608,11597158393865881017,131072 /prefetch:8
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2248 --field-trial-handle=1964,i,15614726641191412608,11597158393865881017,131072 /prefetch:8
  2⤵
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2912 --field-trial-handle=1964,i,15614726641191412608,11597158393865881017,131072 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2888 --field-trial-handle=1964,i,15614726641191412608,11597158393865881017,131072 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 --field-trial-handle=1964,i,15614726641191412608,11597158393865881017,131072 /prefetch:8
  2⤵
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 --field-trial-handle=1964,i,15614726641191412608,11597158393865881017,131072 /prefetch:8
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1964,i,15614726641191412608,11597158393865881017,131072 /prefetch:8
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 --field-trial-handle=1964,i,15614726641191412608,11597158393865881017,131072 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3412 --field-trial-handle=1964,i,15614726641191412608,11597158393865881017,131072 /prefetch:1
  2⤵
  PID:584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1580 --field-trial-handle=1964,i,15614726641191412608,11597158393865881017,131072 /prefetch:8
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5460 --field-trial-handle=1964,i,15614726641191412608,11597158393865881017,131072 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5472 --field-trial-handle=1964,i,15614726641191412608,11597158393865881017,131072 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5812 --field-trial-handle=1964,i,15614726641191412608,11597158393865881017,131072 /prefetch:8
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3424 --field-trial-handle=1964,i,15614726641191412608,11597158393865881017,131072 /prefetch:8
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5284 --field-trial-handle=1964,i,15614726641191412608,11597158393865881017,131072 /prefetch:8
  2⤵
  PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6272 --field-trial-handle=1964,i,15614726641191412608,11597158393865881017,131072 /prefetch:8
  2⤵
  PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5636 --field-trial-handle=1964,i,15614726641191412608,11597158393865881017,131072 /prefetch:1
  2⤵
  PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=2976 --field-trial-handle=1964,i,15614726641191412608,11597158393865881017,131072 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5444 --field-trial-handle=1964,i,15614726641191412608,11597158393865881017,131072 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6532 --field-trial-handle=1964,i,15614726641191412608,11597158393865881017,131072 /prefetch:8
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=744 --field-trial-handle=1964,i,15614726641191412608,11597158393865881017,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5516 --field-trial-handle=1964,i,15614726641191412608,11597158393865881017,131072 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1668 --field-trial-handle=1964,i,15614726641191412608,11597158393865881017,131072 /prefetch:8
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5380 --field-trial-handle=1964,i,15614726641191412608,11597158393865881017,131072 /prefetch:1
  2⤵
  PID:884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5800 --field-trial-handle=1964,i,15614726641191412608,11597158393865881017,131072 /prefetch:8
  2⤵
  PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6496 --field-trial-handle=1964,i,15614726641191412608,11597158393865881017,131072 /prefetch:8
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5476 --field-trial-handle=1964,i,15614726641191412608,11597158393865881017,131072 /prefetch:8
  2⤵
  PID:3908

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3840

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1388

C:\Users\Admin\Downloads\ProcessExplorer\procexp.exe
"C:\Users\Admin\Downloads\ProcessExplorer\procexp.exe"
1⤵
PID:1416
- C:\Users\Admin\AppData\Local\Temp\procexp64.exe
  "C:\Users\Admin\Downloads\ProcessExplorer\procexp.exe"
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Enumerates connected drives
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: LoadsDriver
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1260
- - C:\Windows\regedit.exe
    C:\Windows\regedit.exe
    3⤵
    - Runs regedit.exe
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1868

C:\Users\Admin\Desktop\{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe
"C:\Users\Admin\Desktop\{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe"
1⤵
PID:4448
- C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
  "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Desktop\{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4944
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C
    3⤵
    - Executes dropped EXE
    PID:3900
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C
    3⤵
    - Executes dropped EXE
    PID:2360
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C
    3⤵
    - Executes dropped EXE
    PID:1276
  - - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
      "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C
      4⤵
      Executes dropped EXE
      PID:4188

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:2492

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\SetUnlock.jpeg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:416

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:2364

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4760

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\JoinRepair.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1836

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1732

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\GrantSwitch.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdc7ff9758,0x7ffdc7ff9768,0x7ffdc7ff9778
  2⤵
  PID:4404

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2576
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2576 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3744

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4768
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  PID:4940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4940.0.599905894\1866213379" -parentBuildID 20221007134813 -prefsHandle 1860 -prefMapHandle 1856 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a87ed4f-a308-4a53-91a1-f5c5cdcaf37c} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" 1964 2df6a8d8758 gpu
    3⤵
    PID:5096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4940.1.1754992687\389624670" -parentBuildID 20221007134813 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {47f31b9d-fa0d-4a00-bd14-828a4dc6791b} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" 2364 2df6a039b58 socket
    3⤵
    PID:4868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4940.2.630901598\255516949" -childID 1 -isForBrowser -prefsHandle 3364 -prefMapHandle 3360 -prefsLen 21012 -prefMapSize 232675 -jsInitHandle 1444 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e4b75f0-6ee6-40a6-beb7-11b622a8d6e7} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" 3376 2df6e6bd258 tab
    3⤵
    PID:880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4940.3.1728905636\609896643" -childID 2 -isForBrowser -prefsHandle 2788 -prefMapHandle 3324 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1444 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ac98e30-023b-4dcb-901a-cd3fa23b267e} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" 2512 2df6ca22e58 tab
    3⤵
    PID:4168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4940.4.1484380791\200509057" -childID 3 -isForBrowser -prefsHandle 3944 -prefMapHandle 3932 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1444 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19a7a11d-9246-4055-bd84-16b78727883f} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" 3956 2df6ed9a858 tab
    3⤵
    PID:1384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4940.6.2089233942\254158833" -childID 5 -isForBrowser -prefsHandle 5064 -prefMapHandle 5060 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1444 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1977de0b-3ba2-42e1-8058-a972b8438a80} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" 5020 2df6e66e858 tab
    3⤵
    PID:2864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4940.7.986548127\86046957" -childID 6 -isForBrowser -prefsHandle 5272 -prefMapHandle 5276 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1444 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2847fb1-6699-46f9-a32e-29ce4244ad1d} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" 5160 2df702bac58 tab
    3⤵
    PID:2004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4940.5.1358222078\321220165" -childID 4 -isForBrowser -prefsHandle 5052 -prefMapHandle 5048 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1444 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {163d5509-210a-4bb9-a404-7f5415b28691} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" 5040 2df6e66d658 tab
    3⤵
    PID:1948

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\My Wallpaper.jpg" /ForceBootstrapPaint3D
1⤵
- Suspicious use of SetWindowsHookEx
PID:2052

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery