a33b596a570e3ec4cf29dddb37e72adf57499e294c9c873c76429d18b1bc4427

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
60	2712	wscript.exe
61	2712	wscript.exe
63	2712	wscript.exe
67	2712	wscript.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables cmd.exe use via registry modification 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	wscript.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCleaner.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\student.exe	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\plugin-hang-ui.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VirtualBox.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit32.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\installer.exe	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCleaner32.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCleaner64.exe	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit32.exe	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit33.exe	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adwcleaner_5.005.exe	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\updater.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskhost.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCleaner.exe	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htaedit.exe	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uTorrent.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\plugin-hang-ui.exe	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mssecse.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uTorrent.exe	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uninstall.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmic.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\crashreporter.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mssecse.exe	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCleaner32.exe	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbsedit.exe	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbsedit.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uninstall.exe	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msert.exe	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htaedit.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adwcleaner_5.005.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\student.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmic.exe	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCleaner64.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit33.exe\Debugger = "wscript.exe C:\\Users\\Public\\ghostroot\\Message.vbs"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	wscript.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3212	netsh.exe

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
3596	icacls.exe
4420	takeown.exe
3220	icacls.exe
2976	takeown.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat	xcopy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat	xcopy.exe

Impair Defenses: Safe Mode Boot 1 TTPs 7 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	reg.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2976	takeown.exe
3596	icacls.exe
4420	takeown.exe
3220	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bolbi = "C:\\Users\\Public\\Ghostroot\\Bolbi.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bolbi = "C:\\Users\\Public\\Ghostroot\\Bolbi.vbs"	wscript.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\ghostroot\\8ydfdsE.jpg"	wscript.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\ja-JP\Open76.vbs	wscript.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Open50.vbs	wscript.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Open196.vbs	wscript.exe
File opened for modification	C:\Program Files\dotnet\host\Open20.vbs	wscript.exe
File created	C:\Program Files\Java\jdk-1.8\Open159.vbs	wscript.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\Open100.vbs	wscript.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\Open130.vbs	wscript.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\Open30.vbs	wscript.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Open109.vbs	wscript.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\Open112.vbs	wscript.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\Open3.vbs	wscript.exe
File created	C:\Program Files\Windows Defender\Clap61.vbs	wscript.exe
File created	C:\Program Files\Windows NT\Accessories\Open132.vbs	wscript.exe
File created	C:\Program Files\Windows Photo Viewer\Clap123.vbs	wscript.exe
File opened for modification	C:\Program Files\Windows Sidebar\Clap125.vbs	wscript.exe
File created	C:\Program Files\dotnet\swidtag\Open233.vbs	wscript.exe
File created	C:\Program Files\Java\jre-1.8\Open101.vbs	wscript.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Open68.vbs	wscript.exe
File created	C:\Program Files\Windows Defender\en-US\Open243.vbs	wscript.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Open57.vbs	wscript.exe
File opened for modification	C:\Program Files\7-Zip\Lang\Open211.vbs	wscript.exe
File created	C:\Program Files\Internet Explorer\fr-FR\Open32.vbs	wscript.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\Open38.vbs	wscript.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\Open8.vbs	wscript.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\uk-UA\Open122.vbs	wscript.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\Open96.vbs	wscript.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\Open216.vbs	wscript.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\Open239.vbs	wscript.exe
File created	C:\Program Files\ModifiableWindowsApps\Clap240.vbs	wscript.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\Clap185.vbs	wscript.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\Open57.vbs	wscript.exe
File created	C:\Program Files\Google\Clap52.vbs	wscript.exe
File opened for modification	C:\Program Files\Google\Clap205.vbs	wscript.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\Open1.vbs	wscript.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\Open190.vbs	wscript.exe
File created	C:\Program Files\7-Zip\Clap82.vbs	wscript.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\Open76.vbs	wscript.exe
File opened for modification	C:\Program Files\Windows Mail\Clap166.vbs	wscript.exe
File created	C:\Program Files\Common Files\Services\Open88.vbs	wscript.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\Open11.vbs	wscript.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\Open198.vbs	wscript.exe
File created	C:\Program Files\Windows Multimedia Platform\Clap149.vbs	wscript.exe
File opened for modification	C:\Program Files\7-Zip\Clap110.vbs	wscript.exe
File created	C:\Program Files\7-Zip\Lang\Open116.vbs	wscript.exe
File opened for modification	C:\Program Files\dotnet\host\Open180.vbs	wscript.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\Open60.vbs	wscript.exe
File created	C:\Program Files\WindowsApps\MovedPackages\Open234.vbs	wscript.exe
File created	C:\Program Files\WindowsApps\Mutable\Open77.vbs	wscript.exe
File created	C:\Program Files\dotnet\Clap41.vbs	wscript.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Open149.vbs	wscript.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\Open147.vbs	wscript.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\Open236.vbs	wscript.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\Clap199.vbs	wscript.exe
File opened for modification	C:\Program Files\Common Files\Clap149.vbs	wscript.exe
File created	C:\Program Files\Internet Explorer\en-US\Open75.vbs	wscript.exe
File created	C:\Program Files\Microsoft Office 15\Clap77.vbs	wscript.exe
File created	C:\Program Files\Windows Defender\ja-JP\Open179.vbs	wscript.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\Open25.vbs	wscript.exe
File created	C:\Program Files\Windows Defender\en-US\Open135.vbs	wscript.exe
File created	C:\Program Files\WindowsApps\MovedPackages\Open195.vbs	wscript.exe
File created	C:\Program Files\WindowsApps\MovedPackages\Open224.vbs	wscript.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\Open35.vbs	wscript.exe
File created	C:\Program Files\WindowsApps\Deleted\Open88.vbs	wscript.exe
File created	C:\Program Files (x86)\Common Files\Services\Open172.vbs	wscript.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32	wscript.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 2 IoCs

pid	Process
2420	taskkill.exe
1504	taskkill.exe

Modifies Control Panel 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\s1159 = "Bolbi"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\s2359 = "Bolbi"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\Desktop	wscript.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "L1033"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "You have selected %1 as the default voice."	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "C0A"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Laura - Spanish (Spain)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\es-ES\\VoiceActivation_HW_es-ES.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "5218064"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "French Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Katja"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SW"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Elsa - Italian (Italy)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Ayumi"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR de-DE Locale Handler"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech SW Voice Activation - German (Germany)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_en-US.dat.prev"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\tn1036.bin"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = "exefile"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\AI041031"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft David - English (United States)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Female"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Mark - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\L3082"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\c1036.fe"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "309C 309C 30A1 30A1 30A2 30A2 30A3 30A3 30A4 30A4 30A5 30A5 30A6 30A6 30A7 30A7 30A8 30A8 30A9 30A9 30AA 30AA 30AB 30AB 30AC 30AC 30AD 30AD 30AE 30AE 30AF 30AF 30B0 30B0 30B1 30B1 30B2 30B2 30B3 30B3 30B4 30B4 30B5 30B5 30B6 30B6 30B7 30B7 30B8 30B8 30B9 30B9 30BA 30BA 30BB 30BB 30BC 30BC 30BD 30BD 30BE 30BE 30BF 30BF 30C0 30C0 30C1 30C1 30C2 30C2 30C3 30C3 30C4 30C4 30C5 30C5 30C6 30C6 30C7 30C7 30C8 30C8 30C9 30C9 30CA 30CA 30CB 30CB 30CC 30CC 30CD 30CD 30CE 30CE 30CF 30CF 30D0 30D0 30D1 30D1 30D2 30D2 30D3 30D3 30D4 30D4 30D5 30D5 30D6 30D6 30D7 30D7 30D8 30D8 30D9 30D9 30DA 30DA 30DB 30DB 30DC 30DC 30DD 30DD 30DE 30DE 30DF 30DF 30E0 30E0 30E1 30E1 30E2 30E2 30E3 30E3 30E4 30E4 30E5 30E5 30E6 30E6 30E7 30E7 30E8 30E8 30E9 30E9 30EA 30EA 30EB 30EB 30EC 30EC 30ED 30ED 30EE 30EE 30EF 30EF 30F0 30F0 30F1 30F1 30F2 30F2 30F3 30F3 30F4 30F4 30F5 30F5 30F6 30F6 30F7 30F7 30F8 30F8 30F9 30F9 30FA 30FA 30FB 30FB 30FC 30FC 30FD 30FD 30FE 30FE 0021 0021 0027 0027 002B 002B 002E 002E 003F 003F 005F 005F 007C 007C"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "16000"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Laura"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\r1036sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR Engine (11.0) Text Normalization"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_HW_en-US.dat"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\MSTTSLocdeDE.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "11.0"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\lsr1041.lxa"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Ichiro - Japanese (Japan)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR it-IT Lts Lexicon"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = 49553b76dbc112bcd96e2ce32f82aa3750d88abb05779f5fac65e84c5363077e	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{81218F10-A8AA-44C4-9436-33A42C3852E9}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Cosimo"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Voices\\Tokens\\MSTTS_V110_EnUS_ZiraM"	SearchApp.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\THE_HEURISTIC_OF_NORTON_IS_VERY_BAD_AND_PRODUCE:POSITIVES-FALSES	WScript.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4584	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4016	msedge.exe
4016	msedge.exe
3564	msedge.exe
3564	msedge.exe
4320	identity_helper.exe
4320	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3328	7zFM.exe
Token: 35	3328	7zFM.exe
Token: SeSecurityPrivilege	3328	7zFM.exe
Token: SeDebugPrivilege	2420	taskkill.exe
Token: SeDebugPrivilege	1504	taskkill.exe
Token: SeTakeOwnershipPrivilege	2976	takeown.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	2216	explorer.exe
Token: SeCreatePagefilePrivilege	2216	explorer.exe
Token: SeShutdownPrivilege	2216	explorer.exe
Token: SeCreatePagefilePrivilege	2216	explorer.exe
Token: SeShutdownPrivilege	2216	explorer.exe
Token: SeCreatePagefilePrivilege	2216	explorer.exe
Token: SeShutdownPrivilege	2216	explorer.exe
Token: SeCreatePagefilePrivilege	2216	explorer.exe
Token: SeTakeOwnershipPrivilege	4420	takeown.exe
Token: SeShutdownPrivilege	2216	explorer.exe
Token: SeCreatePagefilePrivilege	2216	explorer.exe
Token: SeShutdownPrivilege	2216	explorer.exe
Token: SeCreatePagefilePrivilege	2216	explorer.exe
Token: SeShutdownPrivilege	2216	explorer.exe
Token: SeCreatePagefilePrivilege	2216	explorer.exe
Token: SeShutdownPrivilege	2216	explorer.exe
Token: SeCreatePagefilePrivilege	2216	explorer.exe
Token: SeShutdownPrivilege	2216	explorer.exe
Token: SeCreatePagefilePrivilege	2216	explorer.exe
Token: SeShutdownPrivilege	2216	explorer.exe
Token: SeCreatePagefilePrivilege	2216	explorer.exe
Token: SeShutdownPrivilege	2216	explorer.exe
Token: SeCreatePagefilePrivilege	2216	explorer.exe
Token: SeShutdownPrivilege	2216	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3328	7zFM.exe
3328	7zFM.exe
3564	msedge.exe
3564	msedge.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
1288	explorer.exe
4940	explorer.exe
4940	explorer.exe
4940	explorer.exe
4940	explorer.exe
4940	explorer.exe
4940	explorer.exe
4940	explorer.exe
4940	explorer.exe
4940	explorer.exe
4940	explorer.exe
4940	explorer.exe
4940	explorer.exe
4940	explorer.exe
4940	explorer.exe
4940	explorer.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
1008	StartMenuExperienceHost.exe
1176	TextInputHost.exe
1176	TextInputHost.exe
2156	StartMenuExperienceHost.exe
3912	TextInputHost.exe
3912	TextInputHost.exe
1896	StartMenuExperienceHost.exe
1236	SearchApp.exe
3572	TextInputHost.exe
3572	TextInputHost.exe
4644	StartMenuExperienceHost.exe
3612	SearchApp.exe
1008	TextInputHost.exe
1008	TextInputHost.exe
2996	StartMenuExperienceHost.exe
1088	SearchApp.exe
2788	TextInputHost.exe
2788	TextInputHost.exe
1952	StartMenuExperienceHost.exe
1372	SearchApp.exe
4896	TextInputHost.exe
4896	TextInputHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 2184	5108	cmd.exe	95
PID 5108 wrote to memory of 2184	5108	cmd.exe	95
PID 2184 wrote to memory of 3572	2184	net.exe	96
PID 2184 wrote to memory of 3572	2184	net.exe	96
PID 5108 wrote to memory of 2176	5108	cmd.exe	97
PID 5108 wrote to memory of 2176	5108	cmd.exe	97
PID 2176 wrote to memory of 4052	2176	net.exe	98
PID 2176 wrote to memory of 4052	2176	net.exe	98
PID 5108 wrote to memory of 3036	5108	cmd.exe	99
PID 5108 wrote to memory of 3036	5108	cmd.exe	99
PID 3036 wrote to memory of 1944	3036	net.exe	100
PID 3036 wrote to memory of 1944	3036	net.exe	100
PID 5108 wrote to memory of 2420	5108	cmd.exe	101
PID 5108 wrote to memory of 2420	5108	cmd.exe	101
PID 5108 wrote to memory of 1288	5108	cmd.exe	102
PID 5108 wrote to memory of 1288	5108	cmd.exe	102
PID 1288 wrote to memory of 4376	1288	net.exe	103
PID 1288 wrote to memory of 4376	1288	net.exe	103
PID 5108 wrote to memory of 2888	5108	cmd.exe	104
PID 5108 wrote to memory of 2888	5108	cmd.exe	104
PID 2888 wrote to memory of 1756	2888	net.exe	105
PID 2888 wrote to memory of 1756	2888	net.exe	105
PID 5108 wrote to memory of 3212	5108	cmd.exe	106
PID 5108 wrote to memory of 3212	5108	cmd.exe	106
PID 5108 wrote to memory of 1868	5108	cmd.exe	107
PID 5108 wrote to memory of 1868	5108	cmd.exe	107
PID 1868 wrote to memory of 3312	1868	net.exe	108
PID 1868 wrote to memory of 3312	1868	net.exe	108
PID 5108 wrote to memory of 1700	5108	cmd.exe	109
PID 5108 wrote to memory of 1700	5108	cmd.exe	109
PID 5108 wrote to memory of 2924	5108	cmd.exe	110
PID 5108 wrote to memory of 2924	5108	cmd.exe	110
PID 5108 wrote to memory of 1124	5108	cmd.exe	111
PID 5108 wrote to memory of 1124	5108	cmd.exe	111
PID 5108 wrote to memory of 4660	5108	cmd.exe	112
PID 5108 wrote to memory of 4660	5108	cmd.exe	112
PID 5108 wrote to memory of 1728	5108	cmd.exe	114
PID 5108 wrote to memory of 1728	5108	cmd.exe	114
PID 5108 wrote to memory of 1064	5108	cmd.exe	115
PID 5108 wrote to memory of 1064	5108	cmd.exe	115
PID 5108 wrote to memory of 4848	5108	cmd.exe	117
PID 5108 wrote to memory of 4848	5108	cmd.exe	117
PID 5108 wrote to memory of 2336	5108	cmd.exe	118
PID 5108 wrote to memory of 2336	5108	cmd.exe	118
PID 5108 wrote to memory of 448	5108	cmd.exe	119
PID 5108 wrote to memory of 448	5108	cmd.exe	119
PID 5108 wrote to memory of 2616	5108	cmd.exe	120
PID 5108 wrote to memory of 2616	5108	cmd.exe	120
PID 4716 wrote to memory of 1916	4716	cmd.exe	123
PID 4716 wrote to memory of 1916	4716	cmd.exe	123
PID 3636 wrote to memory of 3564	3636	WScript.exe	126
PID 3636 wrote to memory of 3564	3636	WScript.exe	126
PID 3564 wrote to memory of 2132	3564	msedge.exe	127
PID 3564 wrote to memory of 2132	3564	msedge.exe	127
PID 3564 wrote to memory of 4476	3564	msedge.exe	128
PID 3564 wrote to memory of 4476	3564	msedge.exe	128
PID 3564 wrote to memory of 4476	3564	msedge.exe	128
PID 3564 wrote to memory of 4476	3564	msedge.exe	128
PID 3564 wrote to memory of 4476	3564	msedge.exe	128
PID 3564 wrote to memory of 4476	3564	msedge.exe	128
PID 3564 wrote to memory of 4476	3564	msedge.exe	128
PID 3564 wrote to memory of 4476	3564	msedge.exe	128
PID 3564 wrote to memory of 4476	3564	msedge.exe	128
PID 3564 wrote to memory of 4476	3564	msedge.exe	128

System policy modification 1 TTPs 31 IoCs

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Your PC has been wrecked by Bolbi!"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPinningToTaskbar = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun\ = "cscript.exe"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "67108863"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun\ = "rpdbfk.exe"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun\ = "wmplayer.exe"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun\ = "explorer.exe"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun\ = "wscript.exe"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "ATTENTION!"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun\	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms, = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSecurityTab = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoPinnedList = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun	wscript.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Trojan.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3328

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Trojan\L0Lz.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:3572
- C:\Windows\system32\net.exe
  net stop "SDRSVC"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SDRSVC"
    3⤵
    PID:4052
- C:\Windows\system32\net.exe
  net stop "WinDefend"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "WinDefend"
    3⤵
    PID:1944
- C:\Windows\system32\taskkill.exe
  taskkill /f /t /im "MSASCui.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\system32\net.exe
  net stop "security center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "security center"
    3⤵
    PID:4376
- C:\Windows\system32\net.exe
  net stop sharedaccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sharedaccess
    3⤵
    PID:1756
- C:\Windows\system32\netsh.exe
  netsh firewall set opmode mode-disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:3212
- C:\Windows\system32\net.exe
  net stop "wuauserv"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "wuauserv"
    3⤵
    PID:3312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo tasklist "
  2⤵
  PID:1700
- C:\Windows\system32\find.exe
  find /I "L0Lz"
  2⤵
  PID:2924
- C:\Windows\system32\xcopy.exe
  XCOPY "BitcoinMiner.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
  2⤵
  - Drops startup file
  PID:1124
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:4660
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:1728
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:1064
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:4848
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:2336
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:448
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Trojan\BitcoinMiner.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Windows\system32\reg.exe
  Reg Add "" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\Desktop\Trojan\L0Lz.bat" /f
  2⤵
  PID:1916

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Trojan\BonziKill.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4584

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Trojan\Carewmr.vbs"
1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.avp.ru/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fffbc3446f8,0x7fffbc344708,0x7fffbc344718
    3⤵
    PID:2132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,9589623027147080014,16802953130239941577,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
    3⤵
    PID:4476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,9589623027147080014,16802953130239941577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,9589623027147080014,16802953130239941577,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
    3⤵
    PID:1652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9589623027147080014,16802953130239941577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
    3⤵
    PID:1544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9589623027147080014,16802953130239941577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
    3⤵
    PID:4392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9589623027147080014,16802953130239941577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4436 /prefetch:1
    3⤵
    PID:3364
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9589623027147080014,16802953130239941577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2664 /prefetch:1
    3⤵
    PID:324
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,9589623027147080014,16802953130239941577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 /prefetch:8
    3⤵
    PID:1860
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    PID:3212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff604c75460,0x7ff604c75470,0x7ff604c75480
      4⤵
      PID:4508
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,9589623027147080014,16802953130239941577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2144

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Trojan\Bolbi.vbs"
1⤵
- Checks computer location settings
PID:4084
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\Desktop\Trojan\Bolbi.vbs" /elevated
  2⤵
  - UAC bypass
  - Blocklisted process makes network request
  - Disables cmd.exe use via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Checks computer location settings
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - System policy modification
  PID:2712
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Public\Ghostroot\KillDora.bat
    3⤵
    - Modifies registry class
    PID:2724
  - - C:\Windows\System32\rundll32.exe
      C:\Windows\System32\RUNDLL32.EXE user32.dll, UpdatePerUserSystemParameters
      4⤵
      PID:2784
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal" /f
      4⤵
      Impair Defenses: Safe Mode Boot
      PID:2720
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Network" /f
      4⤵
      PID:1156
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1504
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Enumerates connected drives
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3532
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:2976
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32 /Grant Users:F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3596
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:4420
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\ /Grant Users:F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Trojan\Guard.bat" "
1⤵
PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Trojan\Guard.bat" "
1⤵
PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Trojan\Guard.bat" "
1⤵
PID:3040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Trojan\Guard.bat"
1⤵
PID:1412

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1008

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1176

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2216

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2156

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3912

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1288

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1896

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1236

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3572

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:4940

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4644

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3612

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1008

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:1584

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2996

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1088

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2788

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4644

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1372

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4896

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Public\ghostroot\Message.vbs explorer.exe
1⤵
PID:4100

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery