elysiumstealer | 65fa93616cdb8c92a541dd2ad8468d6688e1b1f2606891b56db3e90fbfc9acbd

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8359490.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8359490.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Gypaxylaegi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Jegabaelaewa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	google-game.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	google-game.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Faesahaexoty.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	google-game.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	guihuali-game.exe

Loads dropped DLL 64 IoCs

pid	Process
4888	Install.tmp
4232	installer.exe
4232	installer.exe
4232	installer.exe
4576	MsiExec.exe
4576	MsiExec.exe
4468	rUNdlL32.eXe
3876	8359490.exe
3876	8359490.exe
3876	8359490.exe
3876	8359490.exe
3876	8359490.exe
3876	8359490.exe
3876	8359490.exe
3876	8359490.exe
3876	8359490.exe
3876	8359490.exe
4232	installer.exe
3876	8359490.exe
5408	toolspab1.exe
3876	8359490.exe
5704	irecord.exe
5704	irecord.exe
5704	irecord.exe
5704	irecord.exe
5704	irecord.exe
5704	irecord.exe
5704	irecord.exe
3876	8359490.exe
5420	cmd.exe
5420	cmd.exe
5420	cmd.exe
4860	MsiExec.exe
4860	MsiExec.exe
972	MsiExec.exe
4188	702564a0.exe
972	MsiExec.exe
972	MsiExec.exe
5468	Setup3310.tmp
5468	Setup3310.tmp
972	MsiExec.exe
972	MsiExec.exe
972	MsiExec.exe
972	MsiExec.exe
972	MsiExec.exe
972	MsiExec.exe
972	MsiExec.exe
5420	cmd.exe
972	MsiExec.exe
972	MsiExec.exe
1300	LabPicV3.tmp
5876	lylal220.tmp
5640	MsiExec.exe
5640	MsiExec.exe
5640	MsiExec.exe
5640	MsiExec.exe
5640	MsiExec.exe
5352	rUNdlL32.eXe
5640	MsiExec.exe
5640	MsiExec.exe
972	MsiExec.exe
1432	5A65.exe
5440	i-record.exe
5440	i-record.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Portable Devices\\Tybahihiwy.exe\""	Ultra.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	2025378.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\Kaecorekucy.exe\""	4_177039.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\Nekahiseti.exe\""	3316505.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host Service = "C:\\Windows\\System\\svchost.exe"	5BB.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8359490.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg7_7wjg.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	cmd.exe
File opened (read-only)	\??\I:	cmd.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\T:	cmd.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	cmd.exe
File opened (read-only)	\??\X:	cmd.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\Y:	cmd.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	cmd.exe
File opened (read-only)	\??\G:	cmd.exe
File opened (read-only)	\??\V:	cmd.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	cmd.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	cmd.exe
File opened (read-only)	\??\Z:	cmd.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\L:	cmd.exe
File opened (read-only)	\??\Q:	cmd.exe
File opened (read-only)	\??\S:	cmd.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\M:	installer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
515	ipinfo.io
518	ipinfo.io
519	ipinfo.io
49	ip-api.com
192	ipinfo.io
194	ipinfo.io
312	ip-api.com

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\AdvancedUpdater	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #6	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 29D0A4A0726C0269	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #1	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #2	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #3	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #5	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 869242B94A88CB3A	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3876	8359490.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 4604 set thread context of 4852	4604	svchost.exe	115
PID 5964 set thread context of 5408	5964	toolspab1.exe	129
PID 5248 set thread context of 5796	5248	dp81GdX0OrCQ.exe	195
PID 6384 set thread context of 8092	6384	toolspab1.exe	289
PID 7504 set thread context of 7392	7504	toolspab1.exe	292
PID 6512 set thread context of 6192	6512	tjrasfw	355
PID 9316 set thread context of 9540	9316	tjrasfw	382

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Picture Lab\is-54722.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\recording\unins000.dat	irecord.tmp
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\d	jg7_7wjg.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\recording\avutil-51.dll	irecord.tmp
File created	C:\Program Files (x86)\recording\is-61JIL.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-0E20R.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.Imaging.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\askinstall38.exe	irecord.exe
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe	irecord.exe
File created	C:\Program Files (x86)\recording\is-0ODQ4.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\d.INTEG.RAW	jg7_7wjg.exe
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe	irecord.exe
File opened for modification	C:\Program Files (x86)\recording\unins000.exe	irecord.tmp
File created	C:\Program Files (x86)\Windows Multimedia Platform\Nekahiseti.exe.config	3316505.exe
File created	C:\Program Files (x86)\recording\is-P6A5S.tmp	irecord.tmp
File created	C:\Program Files (x86)\Picture Lab\is-DBEAF.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-0473K.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\Uninstall.exe	irecord.exe
File created	C:\Program Files\Windows Photo Viewer\DLIGYCYTOI\irecord.exe	4_177039.exe
File opened for modification	C:\Program Files (x86)\recording\AForge.Video.FFMPEG.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\avcodec-53.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.Math.dll	prolab.tmp
File created	C:\Program Files\Windows Sidebar\VXDUWAWIKE\ultramediaburner.exe	Ultra.exe
File opened for modification	C:\Program Files (x86)\recording\swresample-0.dll	irecord.tmp
File created	C:\Program Files (x86)\recording\unins000.dat	irecord.tmp
File created	C:\Program Files (x86)\recording\is-O9JH9.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe	Setup.exe
File created	C:\Program Files (x86)\recording\is-PHBLI.tmp	irecord.tmp
File created	C:\Program Files (x86)\Picture Lab\unins000.dat	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-211LD.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\Windows Portable Devices\Tybahihiwy.exe	Ultra.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File created	C:\Program Files\Windows NT\PGDZOOSHCB\prolab.exe	3316505.exe
File created	C:\Program Files (x86)\recording\is-2FM2A.tmp	irecord.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\recording\avdevice-53.dll	irecord.tmp
File created	C:\Program Files (x86)\recording\is-MTVJ2.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\WeifenLuo.WinFormsUI.dll	prolab.tmp
File created	C:\Program Files (x86)\Data Finder\Versium Research\tmp.edb	jg7_7wjg.exe
File opened for modification	C:\Program Files (x86)\recording\Bunifu_UI_v1.52.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\postproc-52.dll	irecord.tmp
File created	C:\Program Files (x86)\recording\is-HSG9U.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-CD5G4.tmp	irecord.tmp
File created	C:\Program Files (x86)\Mozilla Maintenance Service\Kaecorekucy.exe	4_177039.exe
File created	C:\Program Files (x86)\recording\is-NOCNF.tmp	irecord.tmp
File created	C:\Program Files (x86)\Picture Lab\is-UK2OP.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\d.jfm	jg7_7wjg.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\jg7_7wjg.exe	irecord.exe
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe	irecord.exe
File created	C:\Program Files (x86)\recording\is-HAA1O.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe	irecord.exe
File created	C:\Program Files (x86)\Picture Lab\is-CPJ57.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\recording\i-record.exe	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\avfilter-2.dll	irecord.tmp
File created	C:\Program Files (x86)\Mozilla Maintenance Service\Kaecorekucy.exe.config	4_177039.exe
File created	C:\Program Files\Windows Sidebar\VXDUWAWIKE\ultramediaburner.exe.config	Ultra.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe	irecord.exe
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe	irecord.exe
File created	C:\Program Files\Windows Photo Viewer\DLIGYCYTOI\irecord.exe.config	4_177039.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIA834.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA5F9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA7EE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5213.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5AB2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9314.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB8B9.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4946.tmp	msiexec.exe
File created	C:\Windows\System\xxx1.bak	5BB.exe
File created	C:\Windows\System\svchost.exe	5BB.exe
File opened for modification	C:\Windows\Installer\MSIA87B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8FC5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAE33.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI313.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI97B9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAC67.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8DB1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA65F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4F42.tmp	msiexec.exe
File opened for modification	C:\Windows\System\svchost.exe	5BB.exe
File opened for modification	C:\Windows\System\libcrypto-1_1.dll	svchost.exe
File opened for modification	C:\Windows\Installer\MSI595.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9A1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9AEA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8BAC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9555.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C99.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI85F1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA9EB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI52D0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI54F4.tmp	msiexec.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File opened for modification	C:\Windows\Installer\MSI9218.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9AA7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA1AD.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSI97F9.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB84B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBC38.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6084.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8033.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8B42.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8F2B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI70D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAB6C.tmp	msiexec.exe
File created	C:\Windows\Installer\f747f48.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAC4D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAEC0.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI98A5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI99DF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAEEA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f747f48.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI503D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5FF6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI87C6.tmp	msiexec.exe
File opened for modification	C:\Windows\System\libgcc_s_sjlj-1.dll	svchost.exe
File opened for modification	C:\Windows\System\spoolsv.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
7812	5608	WerFault.exe	320
180	2312	WerFault.exe	184
7388	96	WerFault.exe	351
9108	9004	WerFault.exe	361
9448	9364	WerFault.exe	380

Checks SCSI registry key(s) 3 TTPs 27 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	702564a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tjrasfw
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tjrasfw
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tjrasfw
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	702564a0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tjrasfw
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gsrasfw
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gsrasfw
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gsrasfw
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	702564a0.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	702564a0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	702564a0.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gsrasfw
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	702564a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gsrasfw
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tjrasfw
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gsrasfw
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tjrasfw

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RunWW.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RunWW.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
7528	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
5288	taskkill.exe
5760	taskkill.exe
4812	taskkill.exe
6956	taskkill.exe
5532	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	app.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\18\52C64B7E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	app.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompletedV = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGLockdown\BlameModules\00000000 = "MicrosoftEdgeCP.exe\\wincorlib.DLL\\advapi32.dll\\USER32.dll\\clipc.dll\\msiso.dll\\SHELL32.dll\\WINHTTP.dll\\CRYPTBASE.dll\\Windows.UI.dll\\usermgrcli.dll\\msctf.dll\\mrmcorer.dll\\UiaManager.dll\\d3d10warp.dll\\Windows.Graphics.dll\\E"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdom = "2"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\release.netflowcorp.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.propapps.info	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdom = "17"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 6050b92c174cd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdom = "50"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\strength.netflowcorp.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\approval.netflowcorp.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\argument.netflowcorp.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\dominate.netflowcorp.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\allcommonblog.com\ = "111"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\door.netflowcorp.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\propapps.info	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\statement.netflowcorp.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\password.netflowcorp.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\brandnew.netflowcorp.com	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = e06c498c174cd701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = 10eaf043474cd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\important.netflowcorp.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\report.netflowcorp.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\prospect.netflowcorp.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\strength.netflowcorp.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.google.com	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{C432524A-CF3E-4819-8D77-616FF1D630B2}"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\ = "9"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\moment.netflowcorp.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\Total = "29"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\allcommonblog.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\warning.netflowcorp.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\stunning.netflowcorp.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\read.netflowcorp.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\reaction.netflowcorp.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdom = "84"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 80b57ab5174cd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\specimen.netflowcorp.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\brandnew.netflowcorp.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\propapps.info\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\memo.netflowcorp.com	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 817b5a4c164cd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\letter.netflowcorp.com\ = "0"	MicrosoftEdgeCP.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
5952	PING.EXE
7372	PING.EXE
7436	PING.EXE

Script User-Agent 23 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	220	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	518	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	519	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	538	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	542	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	225	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	524	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	532	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	536	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	540	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	533	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	193	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	194	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	197	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	517	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	521	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	537	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	541	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	203	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	242	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	516	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	530	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	534	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4088	ultramediaburner.tmp
4088	ultramediaburner.tmp
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe
4216	Matunikyha.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3008	Process not Found

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
5408	toolspab1.exe
4188	702564a0.exe
6604	MicrosoftEdgeCP.exe
6604	MicrosoftEdgeCP.exe
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
5084	explorer.exe
5084	explorer.exe
5084	explorer.exe
5084	explorer.exe
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
5700	explorer.exe
5700	explorer.exe
5700	explorer.exe
5700	explorer.exe
3008	Process not Found
3008	Process not Found
5700	explorer.exe
5700	explorer.exe
5084	explorer.exe
5084	explorer.exe
3008	Process not Found
3008	Process not Found
4536	explorer.exe
4536	explorer.exe
4536	explorer.exe
4536	explorer.exe
4536	explorer.exe
4536	explorer.exe
3008	Process not Found
3008	Process not Found
4536	explorer.exe
4536	explorer.exe
5700	explorer.exe
5700	explorer.exe
5084	explorer.exe
5084	explorer.exe
8092	toolspab1.exe
7392	toolspab1.exe
4460	702564a0.exe
4536	explorer.exe
4536	explorer.exe
5700	explorer.exe
5700	explorer.exe
5084	explorer.exe
5084	explorer.exe
6604	MicrosoftEdgeCP.exe
6604	MicrosoftEdgeCP.exe
5084	explorer.exe
5084	explorer.exe
4536	explorer.exe
4536	explorer.exe
5700	explorer.exe
5700	explorer.exe
4536	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3144	Ultra.exe
Token: SeDebugPrivilege	4208	Faesahaexoty.exe
Token: SeDebugPrivilege	4216	Matunikyha.exe
Token: SeDebugPrivilege	2552	MicrosoftEdge.exe
Token: SeDebugPrivilege	2552	MicrosoftEdge.exe
Token: SeDebugPrivilege	2552	MicrosoftEdge.exe
Token: SeDebugPrivilege	2552	MicrosoftEdge.exe
Token: SeDebugPrivilege	2552	MicrosoftEdge.exe
Token: SeSecurityPrivilege	4800	msiexec.exe
Token: SeCreateTokenPrivilege	4232	installer.exe
Token: SeAssignPrimaryTokenPrivilege	4232	installer.exe
Token: SeLockMemoryPrivilege	4232	installer.exe
Token: SeIncreaseQuotaPrivilege	4232	installer.exe
Token: SeMachineAccountPrivilege	4232	installer.exe
Token: SeTcbPrivilege	4232	installer.exe
Token: SeSecurityPrivilege	4232	installer.exe
Token: SeTakeOwnershipPrivilege	4232	installer.exe
Token: SeLoadDriverPrivilege	4232	installer.exe
Token: SeSystemProfilePrivilege	4232	installer.exe
Token: SeSystemtimePrivilege	4232	installer.exe
Token: SeProfSingleProcessPrivilege	4232	installer.exe
Token: SeIncBasePriorityPrivilege	4232	installer.exe
Token: SeCreatePagefilePrivilege	4232	installer.exe
Token: SeCreatePermanentPrivilege	4232	installer.exe
Token: SeBackupPrivilege	4232	installer.exe
Token: SeRestorePrivilege	4232	installer.exe
Token: SeShutdownPrivilege	4232	installer.exe
Token: SeDebugPrivilege	4232	installer.exe
Token: SeAuditPrivilege	4232	installer.exe
Token: SeSystemEnvironmentPrivilege	4232	installer.exe
Token: SeChangeNotifyPrivilege	4232	installer.exe
Token: SeRemoteShutdownPrivilege	4232	installer.exe
Token: SeUndockPrivilege	4232	installer.exe
Token: SeSyncAgentPrivilege	4232	installer.exe
Token: SeEnableDelegationPrivilege	4232	installer.exe
Token: SeManageVolumePrivilege	4232	installer.exe
Token: SeImpersonatePrivilege	4232	installer.exe
Token: SeCreateGlobalPrivilege	4232	installer.exe
Token: SeCreateTokenPrivilege	4232	installer.exe
Token: SeAssignPrimaryTokenPrivilege	4232	installer.exe
Token: SeLockMemoryPrivilege	4232	installer.exe
Token: SeIncreaseQuotaPrivilege	4232	installer.exe
Token: SeMachineAccountPrivilege	4232	installer.exe
Token: SeTcbPrivilege	4232	installer.exe
Token: SeSecurityPrivilege	4232	installer.exe
Token: SeTakeOwnershipPrivilege	4232	installer.exe
Token: SeLoadDriverPrivilege	4232	installer.exe
Token: SeSystemProfilePrivilege	4232	installer.exe
Token: SeSystemtimePrivilege	4232	installer.exe
Token: SeProfSingleProcessPrivilege	4232	installer.exe
Token: SeIncBasePriorityPrivilege	4232	installer.exe
Token: SeCreatePagefilePrivilege	4232	installer.exe
Token: SeCreatePermanentPrivilege	4232	installer.exe
Token: SeBackupPrivilege	4232	installer.exe
Token: SeRestorePrivilege	4232	installer.exe
Token: SeShutdownPrivilege	4232	installer.exe
Token: SeDebugPrivilege	4232	installer.exe
Token: SeAuditPrivilege	4232	installer.exe
Token: SeSystemEnvironmentPrivilege	4232	installer.exe
Token: SeChangeNotifyPrivilege	4232	installer.exe
Token: SeRemoteShutdownPrivilege	4232	installer.exe
Token: SeUndockPrivilege	4232	installer.exe
Token: SeSyncAgentPrivilege	4232	installer.exe
Token: SeEnableDelegationPrivilege	4232	installer.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
4088	ultramediaburner.tmp
4232	installer.exe
5420	cmd.exe
5468	Setup3310.tmp
3008	Process not Found
3008	Process not Found
5116	irecord.tmp
5152	prolab.tmp
6400	installer.exe
7596	Setup3310.tmp
7516	Setup3310.tmp

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2552	MicrosoftEdge.exe
200	MicrosoftEdgeCP.exe
200	MicrosoftEdgeCP.exe
5312	MicrosoftEdge.exe
6604	MicrosoftEdgeCP.exe
6604	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3008	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 4888	4452	Install.exe	75
PID 4452 wrote to memory of 4888	4452	Install.exe	75
PID 4452 wrote to memory of 4888	4452	Install.exe	75
PID 4888 wrote to memory of 3144	4888	Install.tmp	77
PID 4888 wrote to memory of 3144	4888	Install.tmp	77
PID 3144 wrote to memory of 4040	3144	Ultra.exe	80
PID 3144 wrote to memory of 4040	3144	Ultra.exe	80
PID 3144 wrote to memory of 4040	3144	Ultra.exe	80
PID 4040 wrote to memory of 4088	4040	ultramediaburner.exe	81
PID 4040 wrote to memory of 4088	4040	ultramediaburner.exe	81
PID 4040 wrote to memory of 4088	4040	ultramediaburner.exe	81
PID 3144 wrote to memory of 4208	3144	Ultra.exe	82
PID 3144 wrote to memory of 4208	3144	Ultra.exe	82
PID 4088 wrote to memory of 4212	4088	ultramediaburner.tmp	83
PID 4088 wrote to memory of 4212	4088	ultramediaburner.tmp	83
PID 3144 wrote to memory of 4216	3144	Ultra.exe	84
PID 3144 wrote to memory of 4216	3144	Ultra.exe	84
PID 4216 wrote to memory of 3548	4216	Matunikyha.exe	90
PID 4216 wrote to memory of 3548	4216	Matunikyha.exe	90
PID 3548 wrote to memory of 4840	3548	cmd.exe	92
PID 3548 wrote to memory of 4840	3548	cmd.exe	92
PID 3548 wrote to memory of 4840	3548	cmd.exe	92
PID 4216 wrote to memory of 3796	4216	Matunikyha.exe	93
PID 4216 wrote to memory of 3796	4216	Matunikyha.exe	93
PID 3796 wrote to memory of 4232	3796	cmd.exe	95
PID 3796 wrote to memory of 4232	3796	cmd.exe	95
PID 3796 wrote to memory of 4232	3796	cmd.exe	95
PID 4216 wrote to memory of 1896	4216	Matunikyha.exe	96
PID 4216 wrote to memory of 1896	4216	Matunikyha.exe	96
PID 1896 wrote to memory of 3804	1896	cmd.exe	99
PID 1896 wrote to memory of 3804	1896	cmd.exe	99
PID 1896 wrote to memory of 3804	1896	cmd.exe	99
PID 3804 wrote to memory of 5048	3804	hbggg.exe	102
PID 3804 wrote to memory of 5048	3804	hbggg.exe	102
PID 3804 wrote to memory of 5048	3804	hbggg.exe	102
PID 4800 wrote to memory of 4576	4800	msiexec.exe	104
PID 4800 wrote to memory of 4576	4800	msiexec.exe	104
PID 4800 wrote to memory of 4576	4800	msiexec.exe	104
PID 4216 wrote to memory of 348	4216	Matunikyha.exe	105
PID 4216 wrote to memory of 348	4216	Matunikyha.exe	105
PID 348 wrote to memory of 896	348	cmd.exe	107
PID 348 wrote to memory of 896	348	cmd.exe	107
PID 348 wrote to memory of 896	348	cmd.exe	107
PID 4232 wrote to memory of 3576	4232	installer.exe	108
PID 4232 wrote to memory of 3576	4232	installer.exe	108
PID 4232 wrote to memory of 3576	4232	installer.exe	108
PID 4216 wrote to memory of 4252	4216	Matunikyha.exe	109
PID 4216 wrote to memory of 4252	4216	Matunikyha.exe	109
PID 896 wrote to memory of 4468	896	google-game.exe	112
PID 896 wrote to memory of 4468	896	google-game.exe	112
PID 896 wrote to memory of 4468	896	google-game.exe	112
PID 4252 wrote to memory of 4716	4252	cmd.exe	111
PID 4252 wrote to memory of 4716	4252	cmd.exe	111
PID 4252 wrote to memory of 4716	4252	cmd.exe	111
PID 3804 wrote to memory of 4312	3804	hbggg.exe	113
PID 3804 wrote to memory of 4312	3804	hbggg.exe	113
PID 3804 wrote to memory of 4312	3804	hbggg.exe	113
PID 4468 wrote to memory of 4604	4468	rUNdlL32.eXe	71
PID 4216 wrote to memory of 2200	4216	Matunikyha.exe	114
PID 4216 wrote to memory of 2200	4216	Matunikyha.exe	114
PID 4468 wrote to memory of 2792	4468	rUNdlL32.eXe	24
PID 4604 wrote to memory of 4852	4604	svchost.exe	115
PID 4604 wrote to memory of 4852	4604	svchost.exe	115
PID 4604 wrote to memory of 4852	4604	svchost.exe	115

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2588

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2792

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2584

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2444

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2404

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1872

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1416

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1356

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1208

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1104

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:944
- C:\Users\Admin\AppData\Roaming\tjrasfw
  C:\Users\Admin\AppData\Roaming\tjrasfw
  2⤵
  - Suspicious use of SetThreadContext
  PID:6512
- - C:\Users\Admin\AppData\Roaming\tjrasfw
    C:\Users\Admin\AppData\Roaming\tjrasfw
    3⤵
    - Checks SCSI registry key(s)
    PID:6192
- C:\Users\Admin\AppData\Roaming\gsrasfw
  C:\Users\Admin\AppData\Roaming\gsrasfw
  2⤵
  - Checks SCSI registry key(s)
  PID:8160
- C:\Users\Admin\AppData\Roaming\tjrasfw
  C:\Users\Admin\AppData\Roaming\tjrasfw
  2⤵
  - Suspicious use of SetThreadContext
  PID:9316
- - C:\Users\Admin\AppData\Roaming\tjrasfw
    C:\Users\Admin\AppData\Roaming\tjrasfw
    3⤵
    - Checks SCSI registry key(s)
    PID:9540
- C:\Users\Admin\AppData\Roaming\gsrasfw
  C:\Users\Admin\AppData\Roaming\gsrasfw
  2⤵
  - Checks SCSI registry key(s)
  PID:9328
- C:\Users\Admin\AppData\Roaming\tjrasfw
  C:\Users\Admin\AppData\Roaming\tjrasfw
  2⤵
  PID:9828
- C:\Users\Admin\AppData\Roaming\gsrasfw
  C:\Users\Admin\AppData\Roaming\gsrasfw
  2⤵
  PID:9836

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Users\Admin\AppData\Local\Temp\is-DNHIO.tmp\Install.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-DNHIO.tmp\Install.tmp" /SL5="$4007A,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Users\Admin\AppData\Local\Temp\is-CC5IH.tmp\Ultra.exe
    "C:\Users\Admin\AppData\Local\Temp\is-CC5IH.tmp\Ultra.exe" /S /UID=burnerch1
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Program Files\Windows Sidebar\VXDUWAWIKE\ultramediaburner.exe
      "C:\Program Files\Windows Sidebar\VXDUWAWIKE\ultramediaburner.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4040
    - - C:\Users\Admin\AppData\Local\Temp\is-4VF9R.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-4VF9R.tmp\ultramediaburner.tmp" /SL5="$60046,281924,62464,C:\Program Files\Windows Sidebar\VXDUWAWIKE\ultramediaburner.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4088
      - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        6⤵
        Executes dropped EXE
        
        PID:4212
  - - C:\Users\Admin\AppData\Local\Temp\b7-2de95-b20-98b89-8ee859f2476e4\Faesahaexoty.exe
      "C:\Users\Admin\AppData\Local\Temp\b7-2de95-b20-98b89-8ee859f2476e4\Faesahaexoty.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of AdjustPrivilegeToken
      PID:4208
  - - C:\Users\Admin\AppData\Local\Temp\71-12cf5-fe9-779b6-f3970852c4d20\Matunikyha.exe
      "C:\Users\Admin\AppData\Local\Temp\71-12cf5-fe9-779b6-f3970852c4d20\Matunikyha.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4216
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4h3rcf2f.frg\001.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3548
      - C:\Users\Admin\AppData\Local\Temp\4h3rcf2f.frg\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\4h3rcf2f.frg\001.exe
        6⤵
        Executes dropped EXE
        
        PID:4840
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vtdkswwl.k15\installer.exe /qn CAMPAIGN="654" & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3796
      - C:\Users\Admin\AppData\Local\Temp\vtdkswwl.k15\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\vtdkswwl.k15\installer.exe /qn CAMPAIGN="654"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\vtdkswwl.k15\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\vtdkswwl.k15\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1621103662 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        7⤵
        
        PID:3576
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bvcgotno.dvg\hbggg.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1896
      - C:\Users\Admin\AppData\Local\Temp\bvcgotno.dvg\hbggg.exe
        
        C:\Users\Admin\AppData\Local\Temp\bvcgotno.dvg\hbggg.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:9116
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:10176
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zl5akgv3.0jc\google-game.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:348
      - C:\Users\Admin\AppData\Local\Temp\zl5akgv3.0jc\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\zl5akgv3.0jc\google-game.exe
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setuser
        7⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:4468
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ozrl5xm4.gac\setup.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4252
      - C:\Users\Admin\AppData\Local\Temp\ozrl5xm4.gac\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\ozrl5xm4.gac\setup.exe
        6⤵
        Executes dropped EXE
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\ozrl5xm4.gac\setup.exe"
        7⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        8⤵
        Runs ping.exe
        
        PID:5952
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1erwtvxt.hl4\customer1.exe & exit
        5⤵
        
        PID:2200
      - C:\Users\Admin\AppData\Local\Temp\1erwtvxt.hl4\customer1.exe
        
        C:\Users\Admin\AppData\Local\Temp\1erwtvxt.hl4\customer1.exe
        6⤵
        Executes dropped EXE
        
        PID:5788
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:5976
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:5348
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:4884
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wh3hiccw.ayb\toolspab1.exe & exit
        5⤵
        
        PID:5388
      - C:\Users\Admin\AppData\Local\Temp\wh3hiccw.ayb\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\wh3hiccw.ayb\toolspab1.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5964
        
        C:\Users\Admin\AppData\Local\Temp\wh3hiccw.ayb\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\wh3hiccw.ayb\toolspab1.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:5408
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\osij3jrj.iv3\GcleanerWW.exe /mixone & exit
        5⤵
        
        PID:1788
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gca0duns.51q\005.exe & exit
        5⤵
        
        PID:5948
      - C:\Users\Admin\AppData\Local\Temp\gca0duns.51q\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\gca0duns.51q\005.exe
        6⤵
        Executes dropped EXE
        
        PID:6096
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2u35pcas.vxb\installer.exe /qn CAMPAIGN="654" & exit
        5⤵
        
        PID:2932
      - C:\Users\Admin\AppData\Local\Temp\2u35pcas.vxb\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\2u35pcas.vxb\installer.exe /qn CAMPAIGN="654"
        6⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\2u35pcas.vxb\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\2u35pcas.vxb\ EXE_CMD_LINE="/forcecleanup /wintime 1621103662 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        7⤵
        
        PID:4416
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rqqcpwtd.zas\702564a0.exe & exit
        5⤵
        
        PID:1584
      - C:\Users\Admin\AppData\Local\Temp\rqqcpwtd.zas\702564a0.exe
        
        C:\Users\Admin\AppData\Local\Temp\rqqcpwtd.zas\702564a0.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:4188
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ncqq4vdn.w2m\app.exe /8-2222 & exit
        5⤵
        
        PID:5684
      - C:\Users\Admin\AppData\Local\Temp\ncqq4vdn.w2m\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\ncqq4vdn.w2m\app.exe /8-2222
        6⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\ncqq4vdn.w2m\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ncqq4vdn.w2m\app.exe" /8-2222
        7⤵
        Modifies data under HKEY_USERS
        
        PID:6648
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kjudhwiq.qbs\Setup3310.exe /Verysilent /subid=623 & exit
        5⤵
        
        PID:5816
      - C:\Users\Admin\AppData\Local\Temp\kjudhwiq.qbs\Setup3310.exe
        
        C:\Users\Admin\AppData\Local\Temp\kjudhwiq.qbs\Setup3310.exe /Verysilent /subid=623
        6⤵
        Executes dropped EXE
        
        PID:5412
        
        C:\Users\Admin\AppData\Local\Temp\is-M3VIM.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-M3VIM.tmp\Setup3310.tmp" /SL5="$F0306,138429,56832,C:\Users\Admin\AppData\Local\Temp\kjudhwiq.qbs\Setup3310.exe" /Verysilent /subid=623
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        
        PID:5468
        
        C:\Users\Admin\AppData\Local\Temp\is-S4CC9.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-S4CC9.tmp\Setup.exe" /Verysilent
        8⤵
        
        PID:5704
        
        C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5248
        
        C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe"
        10⤵
        Executes dropped EXE
        
        PID:5796
        
        C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe"
        10⤵
        Executes dropped EXE
        
        PID:1732
        
        C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"
        9⤵
        Executes dropped EXE
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        10⤵
        Executes dropped EXE
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        10⤵
        
        PID:5660
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        10⤵
        
        PID:8216
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        10⤵
        
        PID:10192
        
        C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe"
        9⤵
        Executes dropped EXE
        
        PID:4176
        
        C:\Users\Admin\AppData\Roaming\6622865.exe
        
        "C:\Users\Admin\AppData\Roaming\6622865.exe"
        10⤵
        Executes dropped EXE
        
        PID:6028
        
        C:\Users\Admin\AppData\Roaming\2025378.exe
        
        "C:\Users\Admin\AppData\Roaming\2025378.exe"
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:6048
        
        C:\ProgramData\Windows Host\Windows Host.exe
        
        "C:\ProgramData\Windows Host\Windows Host.exe"
        11⤵
        Executes dropped EXE
        
        PID:4488
        
        C:\Users\Admin\AppData\Roaming\8359490.exe
        
        "C:\Users\Admin\AppData\Roaming\8359490.exe"
        10⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3876
        
        C:\Users\Admin\AppData\Roaming\1084173.exe
        
        "C:\Users\Admin\AppData\Roaming\1084173.exe"
        10⤵
        Executes dropped EXE
        
        PID:2312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1220
        11⤵
        Program crash
        
        PID:180
        
        C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"
        9⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:1628
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
        10⤵
        Loads dropped DLL
        
        PID:5352
        
        C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
        9⤵
        Executes dropped EXE
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\is-106N1.tmp\LabPicV3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-106N1.tmp\LabPicV3.tmp" /SL5="$30370,506127,422400,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\is-F02IV.tmp\3316505.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-F02IV.tmp\3316505.exe" /S /UID=lab214
        11⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:6100
        
        C:\Program Files\Windows NT\PGDZOOSHCB\prolab.exe
        
        "C:\Program Files\Windows NT\PGDZOOSHCB\prolab.exe" /VERYSILENT
        12⤵
        
        PID:5620
        
        C:\Users\Admin\AppData\Local\Temp\is-PHNG3.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-PHNG3.tmp\prolab.tmp" /SL5="$1039A,575243,216576,C:\Program Files\Windows NT\PGDZOOSHCB\prolab.exe" /VERYSILENT
        13⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:5152
        
        C:\Users\Admin\AppData\Local\Temp\cb-66d79-b55-b73af-ab8132efe1d38\Jegabaelaewa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb-66d79-b55-b73af-ab8132efe1d38\Jegabaelaewa.exe"
        12⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\3e-5f6a3-74e-6d9b2-8162ad0ff4051\Rajetelupy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3e-5f6a3-74e-6d9b2-8162ad0ff4051\Rajetelupy.exe"
        12⤵
        Executes dropped EXE
        
        PID:6024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ajkp2knz.zgu\001.exe & exit
        13⤵
        
        PID:5392
        
        C:\Users\Admin\AppData\Local\Temp\ajkp2knz.zgu\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\ajkp2knz.zgu\001.exe
        14⤵
        Executes dropped EXE
        
        PID:6468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b13ynnzn.sll\installer.exe /qn CAMPAIGN="654" & exit
        13⤵
        
        PID:6220
        
        C:\Users\Admin\AppData\Local\Temp\b13ynnzn.sll\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\b13ynnzn.sll\installer.exe /qn CAMPAIGN="654"
        14⤵
        Executes dropped EXE
        
        PID:6748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\m0fik5ly.35d\hbggg.exe & exit
        13⤵
        
        PID:6896
        
        C:\Users\Admin\AppData\Local\Temp\m0fik5ly.35d\hbggg.exe
        
        C:\Users\Admin\AppData\Local\Temp\m0fik5ly.35d\hbggg.exe
        14⤵
        
        PID:6312
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:7648
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:9032
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:9488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wzktsifp.txt\google-game.exe & exit
        13⤵
        
        PID:6008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\wzktsifp.txt\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\wzktsifp.txt\google-game.exe
        14⤵
        Checks computer location settings
        
        PID:1304
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setuser
        15⤵
        
        PID:6828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\popxzggu.xio\setup.exe & exit
        13⤵
        
        PID:6716
        
        C:\Users\Admin\AppData\Local\Temp\popxzggu.xio\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\popxzggu.xio\setup.exe
        14⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\popxzggu.xio\setup.exe"
        15⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        16⤵
        Runs ping.exe
        
        PID:7436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4vrzcdch.ilx\customer1.exe & exit
        13⤵
        
        PID:6576
        
        C:\Users\Admin\AppData\Local\Temp\4vrzcdch.ilx\customer1.exe
        
        C:\Users\Admin\AppData\Local\Temp\4vrzcdch.ilx\customer1.exe
        14⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:7472
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:6828
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:8216
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:8620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\avcqptaz.zno\toolspab1.exe & exit
        13⤵
        Blocklisted process makes network request
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious use of FindShellTrayWindow
        
        PID:5420
        
        C:\Users\Admin\AppData\Local\Temp\avcqptaz.zno\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\avcqptaz.zno\toolspab1.exe
        14⤵
        Suspicious use of SetThreadContext
        
        PID:7504
        
        C:\Users\Admin\AppData\Local\Temp\avcqptaz.zno\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\avcqptaz.zno\toolspab1.exe
        15⤵
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:7392
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\suub5eci.vup\GcleanerWW.exe /mixone & exit
        13⤵
        
        PID:8072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x1vhrgh4.tac\005.exe & exit
        13⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\x1vhrgh4.tac\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\x1vhrgh4.tac\005.exe
        14⤵
        
        PID:7012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rvcumiqy.jdu\installer.exe /qn CAMPAIGN="654" & exit
        13⤵
        
        PID:7776
        
        C:\Users\Admin\AppData\Local\Temp\rvcumiqy.jdu\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\rvcumiqy.jdu\installer.exe /qn CAMPAIGN="654"
        14⤵
        
        PID:6244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4vjxvzal.ag4\702564a0.exe & exit
        13⤵
        
        PID:6424
        
        C:\Users\Admin\AppData\Local\Temp\4vjxvzal.ag4\702564a0.exe
        
        C:\Users\Admin\AppData\Local\Temp\4vjxvzal.ag4\702564a0.exe
        14⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5608 -s 488
        15⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        
        PID:7812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jsy5v0pv.dbl\app.exe /8-2222 & exit
        13⤵
        
        PID:7040
        
        C:\Users\Admin\AppData\Local\Temp\jsy5v0pv.dbl\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\jsy5v0pv.dbl\app.exe /8-2222
        14⤵
        
        PID:6752
        
        C:\Users\Admin\AppData\Local\Temp\jsy5v0pv.dbl\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jsy5v0pv.dbl\app.exe" /8-2222
        15⤵
        Modifies data under HKEY_USERS
        
        PID:7312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o1j1bfo2.it0\Setup3310.exe /Verysilent /subid=623 & exit
        13⤵
        
        PID:7464
        
        C:\Users\Admin\AppData\Local\Temp\o1j1bfo2.it0\Setup3310.exe
        
        C:\Users\Admin\AppData\Local\Temp\o1j1bfo2.it0\Setup3310.exe /Verysilent /subid=623
        14⤵
        
        PID:7052
        
        C:\Users\Admin\AppData\Local\Temp\is-4SO5Q.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-4SO5Q.tmp\Setup3310.tmp" /SL5="$2052A,138429,56832,C:\Users\Admin\AppData\Local\Temp\o1j1bfo2.it0\Setup3310.exe" /Verysilent /subid=623
        15⤵
        Suspicious use of FindShellTrayWindow
        
        PID:7596
        
        C:\Users\Admin\AppData\Local\Temp\is-GA68S.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-GA68S.tmp\Setup.exe" /Verysilent
        16⤵
        
        PID:5820
        
        C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
        9⤵
        Executes dropped EXE
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\is-NUJKR.tmp\lylal220.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-NUJKR.tmp\lylal220.tmp" /SL5="$30386,237286,153600,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5876
        
        C:\Users\Admin\AppData\Local\Temp\is-RK7M9.tmp\4_177039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-RK7M9.tmp\4_177039.exe" /S /UID=lylal220
        11⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:5032
        
        C:\Program Files\Windows Photo Viewer\DLIGYCYTOI\irecord.exe
        
        "C:\Program Files\Windows Photo Viewer\DLIGYCYTOI\irecord.exe" /VERYSILENT
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:5704
        
        C:\Users\Admin\AppData\Local\Temp\is-VJN9B.tmp\irecord.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-VJN9B.tmp\irecord.tmp" /SL5="$30368,6139911,56832,C:\Program Files\Windows Photo Viewer\DLIGYCYTOI\irecord.exe" /VERYSILENT
        13⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:5116
        
        C:\Program Files (x86)\recording\i-record.exe
        
        "C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\7d-77d58-e3c-cd5a7-645e8076fa21f\Gypaxylaegi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7d-77d58-e3c-cd5a7-645e8076fa21f\Gypaxylaegi.exe"
        12⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\e3-9b36d-e30-42389-47362504b94c9\Lecasalupae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3-9b36d-e30-42389-47362504b94c9\Lecasalupae.exe"
        12⤵
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\asm3zon1.pt2\001.exe & exit
        13⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\asm3zon1.pt2\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\asm3zon1.pt2\001.exe
        14⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\t2iwp1mh.brg\installer.exe /qn CAMPAIGN="654" & exit
        13⤵
        
        PID:5592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        Executes dropped EXE
        
        PID:5620
        
        C:\Users\Admin\AppData\Local\Temp\t2iwp1mh.brg\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\t2iwp1mh.brg\installer.exe /qn CAMPAIGN="654"
        14⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of FindShellTrayWindow
        
        PID:6400
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\t2iwp1mh.brg\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\t2iwp1mh.brg\ EXE_CMD_LINE="/forcecleanup /wintime 1621103662 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        15⤵
        
        PID:2800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0izzoxtm.tft\hbggg.exe & exit
        13⤵
        
        PID:6212
        
        C:\Users\Admin\AppData\Local\Temp\0izzoxtm.tft\hbggg.exe
        
        C:\Users\Admin\AppData\Local\Temp\0izzoxtm.tft\hbggg.exe
        14⤵
        Executes dropped EXE
        
        PID:6720
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:7628
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:5936
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:9104
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:7312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\50krfncb.put\google-game.exe & exit
        13⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\50krfncb.put\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\50krfncb.put\google-game.exe
        14⤵
        Checks computer location settings
        
        PID:6552
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setuser
        15⤵
        
        PID:6420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fjsn02nt.o2n\setup.exe & exit
        13⤵
        
        PID:6508
        
        C:\Users\Admin\AppData\Local\Temp\fjsn02nt.o2n\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\fjsn02nt.o2n\setup.exe
        14⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\fjsn02nt.o2n\setup.exe"
        15⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        16⤵
        Runs ping.exe
        
        PID:7372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yrl5vgia.0uy\customer1.exe & exit
        13⤵
        Executes dropped EXE
        
        PID:5660
        
        C:\Users\Admin\AppData\Local\Temp\yrl5vgia.0uy\customer1.exe
        
        C:\Users\Admin\AppData\Local\Temp\yrl5vgia.0uy\customer1.exe
        14⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:7004
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:7188
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:9008
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:9548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vr5xv02f.u5v\toolspab1.exe & exit
        13⤵
        Blocklisted process makes network request
        Executes dropped EXE
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\vr5xv02f.u5v\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\vr5xv02f.u5v\toolspab1.exe
        14⤵
        Suspicious use of SetThreadContext
        
        PID:6384
        
        C:\Users\Admin\AppData\Local\Temp\vr5xv02f.u5v\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\vr5xv02f.u5v\toolspab1.exe
        15⤵
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:8092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ccfhuem2.v5i\GcleanerWW.exe /mixone & exit
        13⤵
        
        PID:7396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5cgvcoyq.l4f\005.exe & exit
        13⤵
        
        PID:5568
        
        C:\Users\Admin\AppData\Local\Temp\5cgvcoyq.l4f\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cgvcoyq.l4f\005.exe
        14⤵
        
        PID:4624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0ty4b5mc.02j\installer.exe /qn CAMPAIGN="654" & exit
        13⤵
        
        PID:7852
        
        C:\Users\Admin\AppData\Local\Temp\0ty4b5mc.02j\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\0ty4b5mc.02j\installer.exe /qn CAMPAIGN="654"
        14⤵
        
        PID:3284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hfrkcrv0.vsf\702564a0.exe & exit
        13⤵
        
        PID:7404
        
        C:\Users\Admin\AppData\Local\Temp\hfrkcrv0.vsf\702564a0.exe
        
        C:\Users\Admin\AppData\Local\Temp\hfrkcrv0.vsf\702564a0.exe
        14⤵
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:4460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xkh2nys3.tup\app.exe /8-2222 & exit
        13⤵
        
        PID:6676
        
        C:\Users\Admin\AppData\Local\Temp\xkh2nys3.tup\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\xkh2nys3.tup\app.exe /8-2222
        14⤵
        
        PID:8048
        
        C:\Users\Admin\AppData\Local\Temp\xkh2nys3.tup\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xkh2nys3.tup\app.exe" /8-2222
        15⤵
        Modifies data under HKEY_USERS
        
        PID:7424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\y02f0dgr.keb\Setup3310.exe /Verysilent /subid=623 & exit
        13⤵
        
        PID:7272
        
        C:\Users\Admin\AppData\Local\Temp\y02f0dgr.keb\Setup3310.exe
        
        C:\Users\Admin\AppData\Local\Temp\y02f0dgr.keb\Setup3310.exe /Verysilent /subid=623
        14⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\is-TOMC8.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-TOMC8.tmp\Setup3310.tmp" /SL5="$105B4,138429,56832,C:\Users\Admin\AppData\Local\Temp\y02f0dgr.keb\Setup3310.exe" /Verysilent /subid=623
        15⤵
        Suspicious use of FindShellTrayWindow
        
        PID:7516
        
        C:\Users\Admin\AppData\Local\Temp\is-SF843.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-SF843.tmp\Setup.exe" /Verysilent
        16⤵
        Drops file in Program Files directory
        
        PID:8012
        
        C:\Program Files (x86)\Data Finder\Versium Research\jg7_7wjg.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\jg7_7wjg.exe"
        9⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        
        PID:2336
        
        C:\Program Files (x86)\Data Finder\Versium Research\askinstall38.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\askinstall38.exe"
        9⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        10⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        11⤵
        Kills process with taskkill
        
        PID:5760
        
        C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"
        9⤵
        Executes dropped EXE
        Checks processor information in registry
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit
        10⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im RunWW.exe /f
        11⤵
        Kills process with taskkill
        
        PID:4812
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        11⤵
        Delays execution with timeout.exe
        
        PID:7528

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:4852

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2552

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2896

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:200

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
PID:1924

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DE437E31DC161F649F8FF44B561632EB C
  2⤵
  - Loads dropped DLL
  PID:4576
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 751FE4C761ABA72E0AA54D532CB9C0E2
  2⤵
  PID:3876
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:5532
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FD278D5DB41F1A470C28E084B6B9E580 E Global\MSI0000
  2⤵
  PID:5704
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 36F08D8E8A9CADF0209B0542F37D4E19 C
  2⤵
  - Loads dropped DLL
  PID:4860
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DEF6C3364B526B98D2C199C31B3BEAE3
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:972
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:5288
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 772F3D08AEE3F83687B31D7D32648DD5 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:5640
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2E7DB90A2BD598113F30BA4C39DE3629 C
  2⤵
  PID:6816
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CA46D7AB052FFC20393951AFF5464D00
  2⤵
  - Blocklisted process makes network request
  PID:7008
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:6956
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DCF897B178B7F7CCAD0A74356AC137AD E Global\MSI0000
  2⤵
  PID:4144

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5720

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5484

C:\Users\Admin\AppData\Local\Temp\5A65.exe
C:\Users\Admin\AppData\Local\Temp\5A65.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1432

C:\Users\Admin\AppData\Local\Temp\611D.exe
C:\Users\Admin\AppData\Local\Temp\611D.exe
1⤵
- Executes dropped EXE
PID:5068

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5312

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4840

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:6604

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7092

C:\Users\Admin\AppData\Local\Temp\5BB.exe
C:\Users\Admin\AppData\Local\Temp\5BB.exe
1⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:6136
- C:\Program Files\Windows Defender\MpCmdRun.exe
  "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All -Set-Mp Preference -DisableIOAVProtection $true
  2⤵
  PID:6512
- C:\Windows\System\svchost.exe
  "C:\Windows\System\svchost.exe" formal
  2⤵
  - Drops file in Windows directory
  PID:4504
- - C:\Program Files\Windows Defender\MpCmdRun.exe
    "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All -Set-Mp Preference -DisableIOAVProtection $true
    3⤵
    PID:5480
- - C:\Windows\System\spoolsv.exe
    "C:\Windows\System\spoolsv.exe" --MaxCircuitDirtiness 60 --NewCircuitPeriod 1 --MaxClientCircuitsPending 1024 --OptimisticData 1 --KeepalivePeriod 30 --CircuitBuildTimeout 10 --EnforceDistinctSubnets 0 --HardwareAccel 1 --UseEntryGuards 0
    3⤵
    PID:7072

C:\Users\Admin\AppData\Local\Temp\9A4.exe
C:\Users\Admin\AppData\Local\Temp\9A4.exe
1⤵
PID:5148

C:\Users\Admin\AppData\Local\Temp\B5A.exe
C:\Users\Admin\AppData\Local\Temp\B5A.exe
1⤵
PID:5924

C:\Users\Admin\AppData\Local\Temp\EA7.exe
C:\Users\Admin\AppData\Local\Temp\EA7.exe
1⤵
PID:6316

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6408

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6808

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6560

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:5084

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1260

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:5700

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4456

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6584

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4536

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5336

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\57c31c312f7f4e5f9b953c87c627120c /t 1312 /p 4456
1⤵
PID:7972

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7100

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:7016

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6924

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3836

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2992

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:96
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 96 -s 2468
  2⤵
  - Program crash
  PID:7388

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7564

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2300

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:8692

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:8920

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9004
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 9004 -s 1340
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:9108

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:8796

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8772

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8876

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8840

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8904

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8376

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9364
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 9364 -s 1212
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:9448

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:9648

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10072

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:8352

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:9452

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:1828

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9848

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9644

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10016

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery