elysiumstealer | 65fa93616cdb8c92a541dd2ad8468d6688e1b1f2606891b56db3e90fbfc9acbd

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1478162.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1478162.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Paemaevaepeqy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	keygen-step-4d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	google-game.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	google-game.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	app.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	google-game.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	guihuali-game.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Xudubyjaeko.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Seledipuvi.exe

Loads dropped DLL 64 IoCs

pid	Process
1392	rundll32.exe
2500	Install.tmp
5176	dp81GdX0OrCQ.exe
5176	dp81GdX0OrCQ.exe
5176	dp81GdX0OrCQ.exe
6916	MsiExec.exe
6916	MsiExec.exe
5796	Conhost.exe
6512	MsiExec.exe
6512	MsiExec.exe
6512	MsiExec.exe
6512	MsiExec.exe
6512	MsiExec.exe
6512	MsiExec.exe
6512	MsiExec.exe
6512	MsiExec.exe
4060	cmd.exe
6512	MsiExec.exe
6512	MsiExec.exe
5176	dp81GdX0OrCQ.exe
6512	MsiExec.exe
6512	MsiExec.exe
6604	MsiExec.exe
6604	MsiExec.exe
6604	MsiExec.exe
6604	MsiExec.exe
6604	MsiExec.exe
6604	MsiExec.exe
6604	MsiExec.exe
6512	MsiExec.exe
1244	MicrosoftEdgeCP.exe
1244	MicrosoftEdgeCP.exe
1244	MicrosoftEdgeCP.exe
5788	MsiExec.exe
5788	MsiExec.exe
5688	702564a0.exe
3192	MicrosoftEdgeCP.exe
3192	MicrosoftEdgeCP.exe
6896	MsiExec.exe
6896	MsiExec.exe
6896	MsiExec.exe
6896	MsiExec.exe
6896	MsiExec.exe
6896	MsiExec.exe
6896	MsiExec.exe
6896	MsiExec.exe
6896	MsiExec.exe
6664	cmd.exe
1748	LabPicV3.tmp
6896	MsiExec.exe
1244	MicrosoftEdgeCP.exe
6896	MsiExec.exe
1944	rUNdlL32.eXe
6896	MsiExec.exe
3704	8FEC.exe
4888	msiexec.exe
3704	8FEC.exe
3704	8FEC.exe
3704	8FEC.exe
3704	8FEC.exe
3704	8FEC.exe
4888	msiexec.exe
4888	msiexec.exe
4888	msiexec.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gaoou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	4287445.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Reference Assemblies\\Lushycorapa.exe\""	4_177039.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Defender\\Qojisurymu.exe\""	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host Service = "C:\\Windows\\System\\svchost.exe"	5571.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Adobe\\Baehiduzheku.exe\""	Ultra.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg6_6asg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1478162.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg7_7wjg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	app.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\Y:	MicrosoftEdgeCP.exe
File opened (read-only)	\??\B:	dp81GdX0OrCQ.exe
File opened (read-only)	\??\X:	dp81GdX0OrCQ.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	MicrosoftEdgeCP.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	MicrosoftEdgeCP.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\N:	dp81GdX0OrCQ.exe
File opened (read-only)	\??\Y:	dp81GdX0OrCQ.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	dp81GdX0OrCQ.exe
File opened (read-only)	\??\S:	dp81GdX0OrCQ.exe
File opened (read-only)	\??\W:	MicrosoftEdgeCP.exe
File opened (read-only)	\??\Z:	MicrosoftEdgeCP.exe
File opened (read-only)	\??\M:	MicrosoftEdgeCP.exe
File opened (read-only)	\??\T:	MicrosoftEdgeCP.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	MicrosoftEdgeCP.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	MicrosoftEdgeCP.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\A:	dp81GdX0OrCQ.exe
File opened (read-only)	\??\H:	dp81GdX0OrCQ.exe
File opened (read-only)	\??\I:	dp81GdX0OrCQ.exe
File opened (read-only)	\??\J:	dp81GdX0OrCQ.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\U:	dp81GdX0OrCQ.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\F:	MicrosoftEdgeCP.exe
File opened (read-only)	\??\P:	MicrosoftEdgeCP.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\Q:	dp81GdX0OrCQ.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	MicrosoftEdgeCP.exe
File opened (read-only)	\??\N:	MicrosoftEdgeCP.exe
File opened (read-only)	\??\O:	dp81GdX0OrCQ.exe
File opened (read-only)	\??\G:	MicrosoftEdgeCP.exe
File opened (read-only)	\??\K:	MicrosoftEdgeCP.exe
File opened (read-only)	\??\R:	MicrosoftEdgeCP.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	MicrosoftEdgeCP.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\L:	MicrosoftEdgeCP.exe
File opened (read-only)	\??\L:	installer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
437	ip-api.com
677	ipinfo.io
679	ipinfo.io
690	ipinfo.io
79	ip-api.com
316	ipinfo.io
318	ipinfo.io

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent F2FE48A4AA2A1D46	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #1	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #3	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 10082C864F3EA39C	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedUpdater	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #2	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #5	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #6	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
6836	1478162.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 3980 set thread context of 420	3980	svchost.exe	80
PID 3980 set thread context of 3396	3980	svchost.exe	84
PID 6576 set thread context of 4060	6576	toolspab1.exe	286
PID 5176 set thread context of 5772	5176	dp81GdX0OrCQ.exe	214
PID 7132 set thread context of 7388	7132	toolspab1.exe	296
PID 7904 set thread context of 8064	7904	toolspab1.exe	301
PID 7340 set thread context of 9124	7340	hcsjbau	377

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\recording\is-18SV7.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe	Setup.exe
File created	C:\Program Files (x86)\Data Finder\Versium Research\Uninstall.ini	Setup.exe
File created	C:\Program Files\Microsoft Office 15\EXZCTWNWNO\irecord.exe	4_177039.exe
File opened for modification	C:\Program Files (x86)\recording\Bunifu_UI_v1.52.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\avfilter-2.dll	irecord.tmp
File created	C:\Program Files (x86)\Picture Lab\is-MI5BV.tmp	prolab.tmp
File created	C:\Program Files (x86)\recording\is-VQL5Q.tmp	irecord.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\DockingToolbar.dll	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-L94FF.tmp	prolab.tmp
File created	C:\Program Files (x86)\recording\is-KJ4OJ.tmp	irecord.tmp
File created	C:\Program Files\install.dat	xiuhuali.exe
File created	C:\Program Files\MSBuild\SBHYQSOVJN\ultramediaburner.exe.config	Ultra.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\recording\AForge.Video.dll	irecord.tmp
File created	C:\Program Files (x86)\recording\is-D4FPA.tmp	irecord.tmp
File created	C:\Program Files (x86)\Picture Lab\is-8JAFJ.tmp	prolab.tmp
File created	C:\Program Files\MSBuild\SBHYQSOVJN\ultramediaburner.exe	Ultra.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-IFMEL.tmp	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\askinstall38.exe	Setup.exe
File created	C:\Program Files (x86)\recording\is-H5B9V.tmp	irecord.tmp
File created	C:\Program Files (x86)\Picture Lab\is-MFTEE.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\recording\swresample-0.dll	irecord.tmp
File created	C:\Program Files (x86)\Picture Lab\unins000.dat	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-NJTDP.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\OYDJXIDPYU\prolab.exe	cmd.exe
File created	C:\Program Files (x86)\recording\is-43EUH.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.dll	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-PMT8H.tmp	prolab.tmp
File created	C:\Program Files (x86)\recording\is-ETQLL.tmp	irecord.tmp
File created	C:\Program Files\Microsoft Office 15\EXZCTWNWNO\irecord.exe.config	4_177039.exe
File opened for modification	C:\Program Files (x86)\recording\unins000.exe	irecord.tmp
File created	C:\Program Files (x86)\Reference Assemblies\Lushycorapa.exe	4_177039.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\Pictures Lab.exe	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-QGJQ2.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-H6C1O.tmp	prolab.tmp
File created	C:\Program Files\install.dll	xiuhuali.exe
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe	Setup.exe
File created	C:\Program Files (x86)\recording\unins000.dat	irecord.tmp
File created	C:\Program Files (x86)\Picture Lab\is-KIVQF.tmp	prolab.tmp
File created	C:\Program Files (x86)\recording\is-L86T7.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\unins000.dat	irecord.tmp
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\recording\avcodec-53.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\d.INTEG.RAW	jg7_7wjg.exe
File created	C:\Program Files (x86)\Data Finder\Versium Research\d.jfm	jg7_7wjg.exe
File opened for modification	C:\Program Files (x86)\recording\AForge.Video.FFMPEG.dll	irecord.tmp
File created	C:\Program Files (x86)\Reference Assemblies\Lushycorapa.exe.config	4_177039.exe
File created	C:\Program Files (x86)\recording\is-UDS6Q.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-CQ3J7.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\SourceLibrary.dll	prolab.tmp
File created	C:\Program Files (x86)\recording\is-FF4AF.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\SourceGrid2.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\WeifenLuo.WinFormsUI.dll	prolab.tmp
File created	C:\Program Files (x86)\Windows Defender\Qojisurymu.exe	cmd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f74d2e6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDEAE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFE37.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC0D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFE3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4475.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE058.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE0C5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE55B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE319.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICE01.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1E9B.tmp	msiexec.exe
File created	C:\Windows\System\svchost.exe	5571.exe
File opened for modification	C:\Windows\Installer\MSIBAB2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9D7.tmp	msiexec.exe
File opened for modification	C:\Windows\System\libgcc_s_sjlj-1.dll	svchost.exe
File opened for modification	C:\Windows\Installer\MSI515E.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File created	C:\Windows\Installer\f74d2e9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB949.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF653.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI810.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI42AF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4794.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4860.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI50C0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI53B2.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSI84F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI270A.tmp	msiexec.exe
File opened for modification	C:\Windows\System\libcrypto-1_1.dll	svchost.exe
File opened for modification	C:\Windows\System\zlib1.dll	svchost.exe
File opened for modification	C:\Windows\Installer\MSI52F6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI574F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID9AC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5FA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB909.tmp	msiexec.exe
File opened for modification	C:\Windows\System\libssp-0.dll	svchost.exe
File opened for modification	C:\Windows\Installer\MSIB87C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB9A8.tmp	msiexec.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File opened for modification	C:\Windows\Installer\MSIDA2A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI489F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF858.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI93B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF217.tmp	msiexec.exe
File created	C:\Windows\System\xxx1.bak	5571.exe
File opened for modification	C:\Windows\System\spoolsv.exe	svchost.exe
File opened for modification	C:\Windows\Installer\MSIDE92.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI45BE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFA7C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB5BC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID073.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI522A.tmp	msiexec.exe
File opened for modification	C:\Windows\System\svchost.exe	5571.exe
File opened for modification	C:\Windows\Installer\MSIDD09.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDDD5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7C0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI239D.tmp	msiexec.exe
File opened for modification	C:\Windows\System\libevent-2-1-7.dll	svchost.exe
File opened for modification	C:\Windows\System\libwinpthread-1.dll	svchost.exe
File created	C:\Windows\Installer\f74d2e6.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
5808	8132	WerFault.exe	300
7208	8056	WerFault.exe	340
2100	7284	WerFault.exe	364
7684	5980	WerFault.exe	198
8224	5764	WerFault.exe	378
9756	9648	WerFault.exe	405
9720	4880	WerFault.exe	412
9740	4156	WerFault.exe	418

Checks SCSI registry key(s) 3 TTPs 28 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	702564a0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	casjbau
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	702564a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	MicrosoftEdgeCP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	702564a0.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	702564a0.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	casjbau
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hcsjbau
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000A	MicrosoftEdgeCP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	702564a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hcsjbau
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cmd.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	702564a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	MicrosoftEdgeCP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000A	MicrosoftEdgeCP.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	702564a0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	702564a0.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	702564a0.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hcsjbau
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	casjbau

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RunWW.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RunWW.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5240	timeout.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	MicrosoftEdgeCP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	MicrosoftEdgeCP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	MicrosoftEdgeCP.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
6336	taskkill.exe
6756	taskkill.exe
7108	taskkill.exe
7480	taskkill.exe
6580	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	app.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	app.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	app.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\allcommonblog.com\Total = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 1081424c154cd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\allcommonblog.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "705"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{WW6060MI-ED3Y-MI7M-57W2-EJZ5M77G1X0K}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	google-game.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\allcommonblog.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{QJ2559JN-BF7A-LM2A-20M4-JBF9M43Q7G3S}\1 = "3436"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\girls.xyz\Total = "328"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionIn = "5"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\google.com\Total = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\Total = "952"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\google.com\NumberOfSubdomai = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "1504"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.google.com	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "91"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\ = "153"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\xapi.juicyads.com	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{AA14C039-24D2-4EEA-ACB0-C59BF5934174}"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 301bd569d72dd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\propapps.info\Total = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	dp81GdX0OrCQ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	dp81GdX0OrCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	dp81GdX0OrCQ.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
4728	PING.EXE
6704	PING.EXE
7144	PING.EXE
5212	PING.EXE

Script User-Agent 23 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	678	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	710	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	719	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	317	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	320	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	328	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	355	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	705	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	709	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	720	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	330	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	333	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	679	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	706	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	707	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	708	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	318	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	681	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	688	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	690	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	694	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	701	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	712	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1392	rundll32.exe
1392	rundll32.exe
3980	svchost.exe
3980	svchost.exe
3980	svchost.exe
3980	svchost.exe
2164	ultramediaburner.tmp
2164	ultramediaburner.tmp
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe
4088	Kaevasolevu.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2680	Process not Found

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
4144	MicrosoftEdgeCP.exe
4144	MicrosoftEdgeCP.exe
4144	MicrosoftEdgeCP.exe
4060	cmd.exe
5688	702564a0.exe
3192	MicrosoftEdgeCP.exe
3192	MicrosoftEdgeCP.exe
3192	MicrosoftEdgeCP.exe
3192	MicrosoftEdgeCP.exe
2680	Process not Found
2680	Process not Found
2680	Process not Found
2680	Process not Found
2680	Process not Found
2680	Process not Found
2680	Process not Found
2680	Process not Found
5064	explorer.exe
5064	explorer.exe
5064	explorer.exe
5064	explorer.exe
5064	explorer.exe
5064	explorer.exe
5064	explorer.exe
5064	explorer.exe
5064	explorer.exe
5064	explorer.exe
2680	Process not Found
2680	Process not Found
2680	Process not Found
2680	Process not Found
7632	explorer.exe
7632	explorer.exe
7632	explorer.exe
7632	explorer.exe
7632	explorer.exe
7632	explorer.exe
7632	explorer.exe
7632	explorer.exe
7632	explorer.exe
7632	explorer.exe
2680	Process not Found
2680	Process not Found
2680	Process not Found
2680	Process not Found
7972	explorer.exe
7972	explorer.exe
7972	explorer.exe
7972	explorer.exe
7972	explorer.exe
7972	explorer.exe
7972	explorer.exe
7972	explorer.exe
7972	explorer.exe
7972	explorer.exe
2680	Process not Found
2680	Process not Found
7388	toolspab1.exe
7632	explorer.exe
7632	explorer.exe
5064	explorer.exe
5064	explorer.exe
7972	explorer.exe
7972	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1392	rundll32.exe
Token: SeTcbPrivilege	3980	svchost.exe
Token: SeDebugPrivilege	1392	rundll32.exe
Token: SeDebugPrivilege	1392	rundll32.exe
Token: SeDebugPrivilege	200	JoSetp.exe
Token: SeDebugPrivilege	1392	rundll32.exe
Token: SeDebugPrivilege	1392	rundll32.exe
Token: SeDebugPrivilege	1392	rundll32.exe
Token: SeDebugPrivilege	1392	rundll32.exe
Token: SeDebugPrivilege	1392	rundll32.exe
Token: SeDebugPrivilege	1392	rundll32.exe
Token: SeDebugPrivilege	1392	rundll32.exe
Token: SeDebugPrivilege	1392	rundll32.exe
Token: SeDebugPrivilege	1392	rundll32.exe
Token: SeDebugPrivilege	1392	rundll32.exe
Token: SeDebugPrivilege	1592	Ultra.exe
Token: SeTcbPrivilege	3980	svchost.exe
Token: SeAuditPrivilege	2236	svchost.exe
Token: SeDebugPrivilege	1928	Paemaevaepeqy.exe
Token: SeDebugPrivilege	4088	Kaevasolevu.exe
Token: SeAssignPrimaryTokenPrivilege	2532	svchost.exe
Token: SeIncreaseQuotaPrivilege	2532	svchost.exe
Token: SeSecurityPrivilege	2532	svchost.exe
Token: SeTakeOwnershipPrivilege	2532	svchost.exe
Token: SeLoadDriverPrivilege	2532	svchost.exe
Token: SeSystemtimePrivilege	2532	svchost.exe
Token: SeBackupPrivilege	2532	svchost.exe
Token: SeRestorePrivilege	2532	svchost.exe
Token: SeShutdownPrivilege	2532	svchost.exe
Token: SeSystemEnvironmentPrivilege	2532	svchost.exe
Token: SeUndockPrivilege	2532	svchost.exe
Token: SeManageVolumePrivilege	2532	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2532	svchost.exe
Token: SeIncreaseQuotaPrivilege	2532	svchost.exe
Token: SeSecurityPrivilege	2532	svchost.exe
Token: SeTakeOwnershipPrivilege	2532	svchost.exe
Token: SeLoadDriverPrivilege	2532	svchost.exe
Token: SeSystemtimePrivilege	2532	svchost.exe
Token: SeBackupPrivilege	2532	svchost.exe
Token: SeRestorePrivilege	2532	svchost.exe
Token: SeShutdownPrivilege	2532	svchost.exe
Token: SeSystemEnvironmentPrivilege	2532	svchost.exe
Token: SeUndockPrivilege	2532	svchost.exe
Token: SeManageVolumePrivilege	2532	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2532	svchost.exe
Token: SeIncreaseQuotaPrivilege	2532	svchost.exe
Token: SeSecurityPrivilege	2532	svchost.exe
Token: SeTakeOwnershipPrivilege	2532	svchost.exe
Token: SeLoadDriverPrivilege	2532	svchost.exe
Token: SeSystemtimePrivilege	2532	svchost.exe
Token: SeBackupPrivilege	2532	svchost.exe
Token: SeRestorePrivilege	2532	svchost.exe
Token: SeShutdownPrivilege	2532	svchost.exe
Token: SeSystemEnvironmentPrivilege	2532	svchost.exe
Token: SeUndockPrivilege	2532	svchost.exe
Token: SeManageVolumePrivilege	2532	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2532	svchost.exe
Token: SeIncreaseQuotaPrivilege	2532	svchost.exe
Token: SeSecurityPrivilege	2532	svchost.exe
Token: SeTakeOwnershipPrivilege	2532	svchost.exe
Token: SeLoadDriverPrivilege	2532	svchost.exe
Token: SeSystemtimePrivilege	2532	svchost.exe
Token: SeBackupPrivilege	2532	svchost.exe
Token: SeRestorePrivilege	2532	svchost.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
2164	ultramediaburner.tmp
5176	dp81GdX0OrCQ.exe
2680	Process not Found
2680	Process not Found
1244	MicrosoftEdgeCP.exe
3192	MicrosoftEdgeCP.exe
2680	Process not Found
2680	Process not Found
3836	irecord.tmp
6944	prolab.tmp
8012	installer.exe
2736	Setup3310.tmp
5516	Setup3310.tmp

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2848	xiuhuali.exe
2848	xiuhuali.exe
5008	MicrosoftEdge.exe
4144	MicrosoftEdgeCP.exe
4144	MicrosoftEdgeCP.exe
6712	MicrosoftEdge.exe
3192	MicrosoftEdgeCP.exe
3192	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2680	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 2848	1852	keygen-step-4d.exe	76
PID 1852 wrote to memory of 2848	1852	keygen-step-4d.exe	76
PID 1852 wrote to memory of 2848	1852	keygen-step-4d.exe	76
PID 2848 wrote to memory of 1392	2848	xiuhuali.exe	78
PID 2848 wrote to memory of 1392	2848	xiuhuali.exe	78
PID 2848 wrote to memory of 1392	2848	xiuhuali.exe	78
PID 1852 wrote to memory of 200	1852	keygen-step-4d.exe	79
PID 1852 wrote to memory of 200	1852	keygen-step-4d.exe	79
PID 1392 wrote to memory of 3980	1392	rundll32.exe	69
PID 3980 wrote to memory of 420	3980	svchost.exe	80
PID 3980 wrote to memory of 420	3980	svchost.exe	80
PID 1392 wrote to memory of 2560	1392	rundll32.exe	18
PID 3980 wrote to memory of 420	3980	svchost.exe	80
PID 1392 wrote to memory of 68	1392	rundll32.exe	55
PID 1392 wrote to memory of 2224	1392	rundll32.exe	27
PID 1392 wrote to memory of 2236	1392	rundll32.exe	26
PID 1392 wrote to memory of 1104	1392	rundll32.exe	50
PID 1392 wrote to memory of 1064	1392	rundll32.exe	51
PID 1392 wrote to memory of 1360	1392	rundll32.exe	43
PID 1392 wrote to memory of 1824	1392	rundll32.exe	33
PID 1392 wrote to memory of 1196	1392	rundll32.exe	46
PID 1392 wrote to memory of 1288	1392	rundll32.exe	45
PID 1392 wrote to memory of 2532	1392	rundll32.exe	20
PID 1392 wrote to memory of 2552	1392	rundll32.exe	19
PID 1852 wrote to memory of 1588	1852	keygen-step-4d.exe	81
PID 1852 wrote to memory of 1588	1852	keygen-step-4d.exe	81
PID 1852 wrote to memory of 1588	1852	keygen-step-4d.exe	81
PID 1588 wrote to memory of 2500	1588	Install.exe	82
PID 1588 wrote to memory of 2500	1588	Install.exe	82
PID 1588 wrote to memory of 2500	1588	Install.exe	82
PID 2500 wrote to memory of 1592	2500	Install.tmp	83
PID 2500 wrote to memory of 1592	2500	Install.tmp	83
PID 3980 wrote to memory of 3396	3980	svchost.exe	84
PID 3980 wrote to memory of 3396	3980	svchost.exe	84
PID 3980 wrote to memory of 3396	3980	svchost.exe	84
PID 1592 wrote to memory of 1488	1592	Ultra.exe	85
PID 1592 wrote to memory of 1488	1592	Ultra.exe	85
PID 1592 wrote to memory of 1488	1592	Ultra.exe	85
PID 1488 wrote to memory of 2164	1488	ultramediaburner.exe	86
PID 1488 wrote to memory of 2164	1488	ultramediaburner.exe	86
PID 1488 wrote to memory of 2164	1488	ultramediaburner.exe	86
PID 1592 wrote to memory of 1928	1592	Ultra.exe	87
PID 1592 wrote to memory of 1928	1592	Ultra.exe	87
PID 2164 wrote to memory of 684	2164	ultramediaburner.tmp	88
PID 2164 wrote to memory of 684	2164	ultramediaburner.tmp	88
PID 1592 wrote to memory of 4088	1592	Ultra.exe	89
PID 1592 wrote to memory of 4088	1592	Ultra.exe	89
PID 1852 wrote to memory of 4144	1852	keygen-step-4d.exe	97
PID 1852 wrote to memory of 4144	1852	keygen-step-4d.exe	97
PID 1852 wrote to memory of 4144	1852	keygen-step-4d.exe	97
PID 4144 wrote to memory of 2484	4144	MicrosoftEdgeCP.exe	94
PID 4144 wrote to memory of 2484	4144	MicrosoftEdgeCP.exe	94
PID 4144 wrote to memory of 2484	4144	MicrosoftEdgeCP.exe	94
PID 2484 wrote to memory of 4728	2484	cmd.exe	96
PID 2484 wrote to memory of 4728	2484	cmd.exe	96
PID 2484 wrote to memory of 4728	2484	cmd.exe	96
PID 1852 wrote to memory of 4644	1852	keygen-step-4d.exe	98
PID 1852 wrote to memory of 4644	1852	keygen-step-4d.exe	98
PID 1852 wrote to memory of 4644	1852	keygen-step-4d.exe	98
PID 4144 wrote to memory of 4000	4144	MicrosoftEdgeCP.exe	99
PID 4144 wrote to memory of 4000	4144	MicrosoftEdgeCP.exe	99
PID 4144 wrote to memory of 4000	4144	MicrosoftEdgeCP.exe	99
PID 4144 wrote to memory of 4000	4144	MicrosoftEdgeCP.exe	99
PID 4144 wrote to memory of 4000	4144	MicrosoftEdgeCP.exe	99

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2560

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2552

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2532

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2236

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2224

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1824

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1360

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1288

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1196

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1104

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1064
- C:\Users\Admin\AppData\Roaming\casjbau
  C:\Users\Admin\AppData\Roaming\casjbau
  2⤵
  - Checks SCSI registry key(s)
  PID:4924
- C:\Users\Admin\AppData\Roaming\hcsjbau
  C:\Users\Admin\AppData\Roaming\hcsjbau
  2⤵
  - Suspicious use of SetThreadContext
  PID:7340
- - C:\Users\Admin\AppData\Roaming\hcsjbau
    C:\Users\Admin\AppData\Roaming\hcsjbau
    3⤵
    - Checks SCSI registry key(s)
    PID:9124
- C:\Users\Admin\AppData\Roaming\hcsjbau
  C:\Users\Admin\AppData\Roaming\hcsjbau
  2⤵
  PID:9304
- - C:\Users\Admin\AppData\Roaming\hcsjbau
    C:\Users\Admin\AppData\Roaming\hcsjbau
    3⤵
    PID:10180
- C:\Users\Admin\AppData\Roaming\casjbau
  C:\Users\Admin\AppData\Roaming\casjbau
  2⤵
  PID:9312
- C:\Users\Admin\AppData\Roaming\casjbau
  C:\Users\Admin\AppData\Roaming\casjbau
  2⤵
  PID:10032
- C:\Users\Admin\AppData\Roaming\hcsjbau
  C:\Users\Admin\AppData\Roaming\hcsjbau
  2⤵
  PID:5892

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:68

C:\Users\Admin\AppData\Local\Temp\keygen-step-4d.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1392
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:200
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Users\Admin\AppData\Local\Temp\is-RQK8Q.tmp\Install.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-RQK8Q.tmp\Install.tmp" /SL5="$701A6,235791,152064,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Users\Admin\AppData\Local\Temp\is-HT56E.tmp\Ultra.exe
      "C:\Users\Admin\AppData\Local\Temp\is-HT56E.tmp\Ultra.exe" /S /UID=burnerch1
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1592
    - - C:\Program Files\MSBuild\SBHYQSOVJN\ultramediaburner.exe
        
        "C:\Program Files\MSBuild\SBHYQSOVJN\ultramediaburner.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1488
      - C:\Users\Admin\AppData\Local\Temp\is-P0K9H.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-P0K9H.tmp\ultramediaburner.tmp" /SL5="$701FA,281924,62464,C:\Program Files\MSBuild\SBHYQSOVJN\ultramediaburner.exe" /VERYSILENT
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        7⤵
        Executes dropped EXE
        
        PID:684
    - - C:\Users\Admin\AppData\Local\Temp\4d-34ff5-78e-04983-42b44447d9eb0\Paemaevaepeqy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4d-34ff5-78e-04983-42b44447d9eb0\Paemaevaepeqy.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
    - - C:\Users\Admin\AppData\Local\Temp\2c-70dc8-9b1-33997-7862e033f13c4\Kaevasolevu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2c-70dc8-9b1-33997-7862e033f13c4\Kaevasolevu.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4088
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cfhn3nsx.kqm\001.exe & exit
        6⤵
        
        PID:5648
        
        C:\Users\Admin\AppData\Local\Temp\cfhn3nsx.kqm\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\cfhn3nsx.kqm\001.exe
        7⤵
        
        PID:5976
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\degxpjvn.4hh\installer.exe /qn CAMPAIGN="654" & exit
        6⤵
        
        PID:5992
        
        C:\Users\Admin\AppData\Local\Temp\degxpjvn.4hh\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\degxpjvn.4hh\installer.exe /qn CAMPAIGN="654"
        7⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\degxpjvn.4hh\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\degxpjvn.4hh\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1621103668 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        8⤵
        
        PID:6112
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\npfuiynh.mye\hbggg.exe & exit
        6⤵
        
        PID:5544
        
        C:\Users\Admin\AppData\Local\Temp\npfuiynh.mye\hbggg.exe
        
        C:\Users\Admin\AppData\Local\Temp\npfuiynh.mye\hbggg.exe
        7⤵
        Executes dropped EXE
        
        PID:6244
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        Executes dropped EXE
        
        PID:6420
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:6260
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:8728
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:1460
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tatvay1o.abp\google-game.exe & exit
        6⤵
        
        PID:5640
        
        C:\Users\Admin\AppData\Local\Temp\tatvay1o.abp\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\tatvay1o.abp\google-game.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setuser
        8⤵
        
        PID:5796
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xls4ofzs.ye4\setup.exe & exit
        6⤵
        
        PID:6620
        
        C:\Users\Admin\AppData\Local\Temp\xls4ofzs.ye4\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\xls4ofzs.ye4\setup.exe
        7⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\xls4ofzs.ye4\setup.exe"
        8⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        9⤵
        Runs ping.exe
        
        PID:6704
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\thnoio0s.i0z\customer1.exe & exit
        6⤵
        
        PID:5308
        
        C:\Users\Admin\AppData\Local\Temp\thnoio0s.i0z\customer1.exe
        
        C:\Users\Admin\AppData\Local\Temp\thnoio0s.i0z\customer1.exe
        7⤵
        Executes dropped EXE
        
        PID:6156
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:6604
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:9192
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:10192
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g0hfov3y.vwp\toolspab1.exe & exit
        6⤵
        
        PID:6232
        
        C:\Users\Admin\AppData\Local\Temp\g0hfov3y.vwp\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\g0hfov3y.vwp\toolspab1.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6576
        
        C:\Users\Admin\AppData\Local\Temp\g0hfov3y.vwp\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\g0hfov3y.vwp\toolspab1.exe
        8⤵
        
        PID:4060
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o33t32pk.qo2\GcleanerWW.exe /mixone & exit
        6⤵
        
        PID:6976
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5jbaa0cv.3fp\005.exe & exit
        6⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\5jbaa0cv.3fp\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\5jbaa0cv.3fp\005.exe
        7⤵
        
        PID:7020
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\l0kleqac.rwy\installer.exe /qn CAMPAIGN="654" & exit
        6⤵
        
        PID:6928
        
        C:\Users\Admin\AppData\Local\Temp\l0kleqac.rwy\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\l0kleqac.rwy\installer.exe /qn CAMPAIGN="654"
        7⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\l0kleqac.rwy\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\l0kleqac.rwy\ EXE_CMD_LINE="/forcecleanup /wintime 1621103668 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        8⤵
        Executes dropped EXE
        
        PID:6260
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ralxvjc3.5s5\702564a0.exe & exit
        6⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\ralxvjc3.5s5\702564a0.exe
        
        C:\Users\Admin\AppData\Local\Temp\ralxvjc3.5s5\702564a0.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:5688
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lmmt5a2x.bye\app.exe /8-2222 & exit
        6⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\lmmt5a2x.bye\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\lmmt5a2x.bye\app.exe /8-2222
        7⤵
        Executes dropped EXE
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\lmmt5a2x.bye\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\lmmt5a2x.bye\app.exe" /8-2222
        8⤵
        Checks computer location settings
        Checks whether UAC is enabled
        Modifies data under HKEY_USERS
        
        PID:4984
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\roeakanr.rg3\Setup3310.exe /Verysilent /subid=623 & exit
        6⤵
        
        PID:5744
        
        C:\Users\Admin\AppData\Local\Temp\roeakanr.rg3\Setup3310.exe
        
        C:\Users\Admin\AppData\Local\Temp\roeakanr.rg3\Setup3310.exe /Verysilent /subid=623
        7⤵
        Executes dropped EXE
        
        PID:6228
        
        C:\Users\Admin\AppData\Local\Temp\is-T0OPG.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-T0OPG.tmp\Setup3310.tmp" /SL5="$20450,138429,56832,C:\Users\Admin\AppData\Local\Temp\roeakanr.rg3\Setup3310.exe" /Verysilent /subid=623
        8⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\is-PC70P.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-PC70P.tmp\Setup.exe" /Verysilent
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4836
        
        C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious use of SetThreadContext
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        
        PID:5176
        
        C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe"
        11⤵
        
        PID:5772
        
        C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"
        10⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:3076
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
        11⤵
        Loads dropped DLL
        
        PID:1944
        
        C:\Program Files (x86)\Data Finder\Versium Research\askinstall38.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\askinstall38.exe"
        10⤵
        Executes dropped EXE
        
        PID:6688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        11⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        12⤵
        Kills process with taskkill
        
        PID:6756
        
        C:\Program Files (x86)\Data Finder\Versium Research\jg7_7wjg.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\jg7_7wjg.exe"
        10⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        
        PID:736
        
        C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
        10⤵
        
        PID:1116
        
        C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
        10⤵
        Executes dropped EXE
        
        PID:3356
        
        C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe"
        10⤵
        
        PID:7144
        
        C:\Users\Admin\AppData\Roaming\1303641.exe
        
        "C:\Users\Admin\AppData\Roaming\1303641.exe"
        11⤵
        
        PID:5324
        
        C:\Users\Admin\AppData\Roaming\4287445.exe
        
        "C:\Users\Admin\AppData\Roaming\4287445.exe"
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5628
        
        C:\ProgramData\Windows Host\Windows Host.exe
        
        "C:\ProgramData\Windows Host\Windows Host.exe"
        12⤵
        Executes dropped EXE
        
        PID:4120
        
        C:\Users\Admin\AppData\Roaming\1478162.exe
        
        "C:\Users\Admin\AppData\Roaming\1478162.exe"
        11⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:6836
        
        C:\Users\Admin\AppData\Roaming\8475173.exe
        
        "C:\Users\Admin\AppData\Roaming\8475173.exe"
        11⤵
        Executes dropped EXE
        
        PID:5980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5980 -s 2088
        12⤵
        Program crash
        
        PID:7684
        
        C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"
        10⤵
        Executes dropped EXE
        Checks processor information in registry
        
        PID:6052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit
        11⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im RunWW.exe /f
        12⤵
        Kills process with taskkill
        
        PID:7108
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        12⤵
        Delays execution with timeout.exe
        
        PID:5240
        
        C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"
        10⤵
        Executes dropped EXE
        
        PID:6040
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        11⤵
        Executes dropped EXE
        
        PID:7116
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        11⤵
        
        PID:6804
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        11⤵
        
        PID:8216
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        11⤵
        
        PID:9968
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe"
  2⤵
  PID:4144
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe" >> NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:4728
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  PID:4644
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5932
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    PID:5424
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    PID:876
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    PID:9188
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    PID:9816

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  PID:420
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:3396

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5008

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4176

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4144

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4000

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4984

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3488

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:6448
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B980F522AC5D7B6FC4EC105B76368BC5 C
  2⤵
  - Loads dropped DLL
  PID:6916
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5EF6EEED9744FBA18E3B911FA5F44D5A
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:6512
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:6580
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F63D608EA36D84FC86AF96B5F703080B E Global\MSI0000
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6604
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9B013D762772F521C7F0AAAA2A97BEA1 C
  2⤵
  - Loads dropped DLL
  PID:5788
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 951632366105EAF0CA56D5D20D750084
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:6896
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:6336
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4DD518D337A2A10A15D2B6CA10F3BC78 E Global\MSI0000
  2⤵
  PID:4888
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 580015D534D31B13FD7E619E115DDD14 C
  2⤵
  PID:4880
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6244D8C062FD16728C1EB0B0DE14989D
  2⤵
  PID:6180
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:7480
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D1A75B1B121582DF1606121F33EFCFD6 E Global\MSI0000
  2⤵
  PID:7384

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6748

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7044

C:\Users\Admin\AppData\Local\Temp\8FEC.exe
C:\Users\Admin\AppData\Local\Temp\8FEC.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3704

C:\Users\Admin\AppData\Local\Temp\96A4.exe
C:\Users\Admin\AppData\Local\Temp\96A4.exe
1⤵
- Executes dropped EXE
PID:2300

C:\Users\Admin\AppData\Local\Temp\is-3E54I.tmp\lylal220.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3E54I.tmp\lylal220.tmp" /SL5="$3043C,237286,153600,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
1⤵
PID:6664
- C:\Users\Admin\AppData\Local\Temp\is-EVRFL.tmp\4_177039.exe
  "C:\Users\Admin\AppData\Local\Temp\is-EVRFL.tmp\4_177039.exe" /S /UID=lylal220
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  PID:4788
- - C:\Program Files\Microsoft Office 15\EXZCTWNWNO\irecord.exe
    "C:\Program Files\Microsoft Office 15\EXZCTWNWNO\irecord.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    PID:4928
  - - C:\Users\Admin\AppData\Local\Temp\is-TBTD7.tmp\irecord.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-TBTD7.tmp\irecord.tmp" /SL5="$30368,6139911,56832,C:\Program Files\Microsoft Office 15\EXZCTWNWNO\irecord.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of FindShellTrayWindow
      PID:3836
    - - C:\Program Files (x86)\recording\i-record.exe
        
        "C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu
        5⤵
        Executes dropped EXE
        
        PID:6032
- - C:\Users\Admin\AppData\Local\Temp\0b-b2a8a-471-f2487-94d908950d856\Xudubyjaeko.exe
    "C:\Users\Admin\AppData\Local\Temp\0b-b2a8a-471-f2487-94d908950d856\Xudubyjaeko.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    PID:5224
- - C:\Users\Admin\AppData\Local\Temp\86-f665b-f1b-3259e-e804769e5ef4a\ZHulaerikada.exe
    "C:\Users\Admin\AppData\Local\Temp\86-f665b-f1b-3259e-e804769e5ef4a\ZHulaerikada.exe"
    3⤵
    - Executes dropped EXE
    PID:6356
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\a1x13iea.rvl\001.exe & exit
      4⤵
      Blocklisted process makes network request
      Executes dropped EXE
      Loads dropped DLL
      PID:6664
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Executes dropped EXE
        
        PID:1116
    - - C:\Users\Admin\AppData\Local\Temp\a1x13iea.rvl\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\a1x13iea.rvl\001.exe
        5⤵
        
        PID:7104
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xu4jkzve.yag\installer.exe /qn CAMPAIGN="654" & exit
      4⤵
      PID:2212
    - - C:\Users\Admin\AppData\Local\Temp\xu4jkzve.yag\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\xu4jkzve.yag\installer.exe /qn CAMPAIGN="654"
        5⤵
        
        PID:5964
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ubcc5i5d.zpm\hbggg.exe & exit
      4⤵
      PID:5604
    - - C:\Users\Admin\AppData\Local\Temp\ubcc5i5d.zpm\hbggg.exe
        
        C:\Users\Admin\AppData\Local\Temp\ubcc5i5d.zpm\hbggg.exe
        5⤵
        
        PID:3440
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        
        PID:5220
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        
        PID:5608
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        
        PID:7776
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        
        PID:4664
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3tnbwqwk.tse\google-game.exe & exit
      4⤵
      PID:6408
    - - C:\Users\Admin\AppData\Local\Temp\3tnbwqwk.tse\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\3tnbwqwk.tse\google-game.exe
        5⤵
        Checks computer location settings
        
        PID:6764
      - C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setuser
        6⤵
        
        PID:7572
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b3zns5bj.ojj\setup.exe & exit
      4⤵
      PID:7104
    - - C:\Users\Admin\AppData\Local\Temp\b3zns5bj.ojj\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\b3zns5bj.ojj\setup.exe
        5⤵
        
        PID:7336
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\b3zns5bj.ojj\setup.exe"
        6⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        7⤵
        Executes dropped EXE
        Runs ping.exe
        
        PID:7144
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\teflwbfi.zwq\customer1.exe & exit
      4⤵
      PID:7660
    - - C:\Users\Admin\AppData\Local\Temp\teflwbfi.zwq\customer1.exe
        
        C:\Users\Admin\AppData\Local\Temp\teflwbfi.zwq\customer1.exe
        5⤵
        
        PID:7484
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        
        PID:6880
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        
        PID:5212
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        
        PID:7724
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        
        PID:5740
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\15lhzabe.5k5\toolspab1.exe & exit
      4⤵
      PID:7948
    - - C:\Users\Admin\AppData\Local\Temp\15lhzabe.5k5\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\15lhzabe.5k5\toolspab1.exe
        5⤵
        Suspicious use of SetThreadContext
        
        PID:7132
      - C:\Users\Admin\AppData\Local\Temp\15lhzabe.5k5\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\15lhzabe.5k5\toolspab1.exe
        6⤵
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:7388
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tf2febwo.chh\GcleanerWW.exe /mixone & exit
      4⤵
      PID:1204
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\54dztcxr.ngk\005.exe & exit
      4⤵
      PID:7320
    - - C:\Users\Admin\AppData\Local\Temp\54dztcxr.ngk\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\54dztcxr.ngk\005.exe
        5⤵
        
        PID:7208
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yaud35kk.t5m\installer.exe /qn CAMPAIGN="654" & exit
      4⤵
      PID:4812
    - - C:\Users\Admin\AppData\Local\Temp\yaud35kk.t5m\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\yaud35kk.t5m\installer.exe /qn CAMPAIGN="654"
        5⤵
        Enumerates connected drives
        Suspicious use of FindShellTrayWindow
        
        PID:8012
      - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\yaud35kk.t5m\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\yaud35kk.t5m\ EXE_CMD_LINE="/forcecleanup /wintime 1621103668 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        6⤵
        Loads dropped DLL
        
        PID:4888
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nn02hckp.dtr\702564a0.exe & exit
      4⤵
      PID:7412
    - - C:\Users\Admin\AppData\Local\Temp\nn02hckp.dtr\702564a0.exe
        
        C:\Users\Admin\AppData\Local\Temp\nn02hckp.dtr\702564a0.exe
        5⤵
        Checks SCSI registry key(s)
        
        PID:4744
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\labtfe51.av2\app.exe /8-2222 & exit
      4⤵
      PID:6852
    - - C:\Users\Admin\AppData\Local\Temp\labtfe51.av2\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\labtfe51.av2\app.exe /8-2222
        5⤵
        
        PID:8040
      - C:\Users\Admin\AppData\Local\Temp\labtfe51.av2\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\labtfe51.av2\app.exe" /8-2222
        6⤵
        Modifies data under HKEY_USERS
        
        PID:7996
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vprtyrhv.kvp\Setup3310.exe /Verysilent /subid=623 & exit
      4⤵
      Blocklisted process makes network request
      Drops file in Drivers directory
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      PID:7160
    - - C:\Users\Admin\AppData\Local\Temp\vprtyrhv.kvp\Setup3310.exe
        
        C:\Users\Admin\AppData\Local\Temp\vprtyrhv.kvp\Setup3310.exe /Verysilent /subid=623
        5⤵
        
        PID:2492
      - C:\Users\Admin\AppData\Local\Temp\is-83OHC.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-83OHC.tmp\Setup3310.tmp" /SL5="$B045C,138429,56832,C:\Users\Admin\AppData\Local\Temp\vprtyrhv.kvp\Setup3310.exe" /Verysilent /subid=623
        6⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\is-M8M56.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-M8M56.tmp\Setup.exe" /Verysilent
        7⤵
        Drops file in Program Files directory
        
        PID:5044

C:\Users\Admin\AppData\Local\Temp\is-R8QQH.tmp\LabPicV3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-R8QQH.tmp\LabPicV3.tmp" /SL5="$3041A,506127,422400,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748
- C:\Users\Admin\AppData\Local\Temp\is-8DK62.tmp\3316505.exe
  "C:\Users\Admin\AppData\Local\Temp\is-8DK62.tmp\3316505.exe" /S /UID=lab214
  2⤵
  PID:7160
- - C:\Program Files\Windows Defender Advanced Threat Protection\OYDJXIDPYU\prolab.exe
    "C:\Program Files\Windows Defender Advanced Threat Protection\OYDJXIDPYU\prolab.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    PID:5228
  - - C:\Users\Admin\AppData\Local\Temp\is-0I3E5.tmp\prolab.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-0I3E5.tmp\prolab.tmp" /SL5="$3034C,575243,216576,C:\Program Files\Windows Defender Advanced Threat Protection\OYDJXIDPYU\prolab.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of FindShellTrayWindow
      PID:6944
- - C:\Users\Admin\AppData\Local\Temp\ed-dbe00-224-9fd93-4ef25d810988d\Seledipuvi.exe
    "C:\Users\Admin\AppData\Local\Temp\ed-dbe00-224-9fd93-4ef25d810988d\Seledipuvi.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    PID:5388
- - C:\Users\Admin\AppData\Local\Temp\3d-f0a03-cc1-baba0-7b387b9d67245\Lebaefijire.exe
    "C:\Users\Admin\AppData\Local\Temp\3d-f0a03-cc1-baba0-7b387b9d67245\Lebaefijire.exe"
    3⤵
    - Executes dropped EXE
    PID:5976
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mxrlmi2f.b3t\001.exe & exit
      4⤵
      PID:4860
    - - C:\Users\Admin\AppData\Local\Temp\mxrlmi2f.b3t\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\mxrlmi2f.b3t\001.exe
        5⤵
        
        PID:4744
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bfmfowss.efe\installer.exe /qn CAMPAIGN="654" & exit
      4⤵
      PID:6296
    - - C:\Users\Admin\AppData\Local\Temp\bfmfowss.efe\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\bfmfowss.efe\installer.exe /qn CAMPAIGN="654"
        5⤵
        
        PID:996
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kph2l0zd.irg\hbggg.exe & exit
      4⤵
      PID:2208
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Executes dropped EXE
        
        PID:7020
    - - C:\Users\Admin\AppData\Local\Temp\kph2l0zd.irg\hbggg.exe
        
        C:\Users\Admin\AppData\Local\Temp\kph2l0zd.irg\hbggg.exe
        5⤵
        
        PID:6672
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        
        PID:2528
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        
        PID:7416
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        
        PID:9140
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        
        PID:9740
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\i2vebllp.uqe\google-game.exe & exit
      4⤵
      PID:8156
    - - C:\Users\Admin\AppData\Local\Temp\i2vebllp.uqe\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\i2vebllp.uqe\google-game.exe
        5⤵
        Checks computer location settings
        
        PID:7140
      - C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setuser
        6⤵
        
        PID:7256
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vv4sboqi.kju\setup.exe & exit
      4⤵
      PID:3700
    - - C:\Users\Admin\AppData\Local\Temp\vv4sboqi.kju\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\vv4sboqi.kju\setup.exe
        5⤵
        
        PID:7336
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\vv4sboqi.kju\setup.exe"
        6⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        7⤵
        Runs ping.exe
        
        PID:5212
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wkv2e5dr.0fx\customer1.exe & exit
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks SCSI registry key(s)
      Suspicious behavior: MapViewOfSection
      PID:4060
    - - C:\Users\Admin\AppData\Local\Temp\wkv2e5dr.0fx\customer1.exe
        
        C:\Users\Admin\AppData\Local\Temp\wkv2e5dr.0fx\customer1.exe
        5⤵
        
        PID:7204
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        
        PID:4164
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        
        PID:7952
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        
        PID:7424
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        
        PID:9032
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pl1f0uup.a4r\toolspab1.exe & exit
      4⤵
      PID:4728
    - - C:\Users\Admin\AppData\Local\Temp\pl1f0uup.a4r\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\pl1f0uup.a4r\toolspab1.exe
        5⤵
        Suspicious use of SetThreadContext
        
        PID:7904
      - C:\Users\Admin\AppData\Local\Temp\pl1f0uup.a4r\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\pl1f0uup.a4r\toolspab1.exe
        6⤵
        Checks SCSI registry key(s)
        
        PID:8064
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mtmqw2q5.ala\GcleanerWW.exe /mixone & exit
      4⤵
      PID:5116
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:7256
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4uzhptzs.hax\005.exe & exit
      4⤵
      PID:6440
    - - C:\Users\Admin\AppData\Local\Temp\4uzhptzs.hax\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\4uzhptzs.hax\005.exe
        5⤵
        
        PID:7852
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\p5oehy1q.rpa\installer.exe /qn CAMPAIGN="654" & exit
      4⤵
      PID:7884
    - - C:\Users\Admin\AppData\Local\Temp\p5oehy1q.rpa\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\p5oehy1q.rpa\installer.exe /qn CAMPAIGN="654"
        5⤵
        
        PID:7072
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zwnn1kcd.lva\702564a0.exe & exit
      4⤵
      PID:1240
    - - C:\Users\Admin\AppData\Local\Temp\zwnn1kcd.lva\702564a0.exe
        
        C:\Users\Admin\AppData\Local\Temp\zwnn1kcd.lva\702564a0.exe
        5⤵
        Checks SCSI registry key(s)
        
        PID:2528
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\regs2q5k.2yk\app.exe /8-2222 & exit
      4⤵
      PID:6296
    - - C:\Users\Admin\AppData\Local\Temp\regs2q5k.2yk\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\regs2q5k.2yk\app.exe /8-2222
        5⤵
        
        PID:636
      - C:\Users\Admin\AppData\Local\Temp\regs2q5k.2yk\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\regs2q5k.2yk\app.exe" /8-2222
        6⤵
        Modifies data under HKEY_USERS
        
        PID:4312
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bn3yyx5f.z30\Setup3310.exe /Verysilent /subid=623 & exit
      4⤵
      PID:6872
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Loads dropped DLL
        
        PID:5796
    - - C:\Users\Admin\AppData\Local\Temp\bn3yyx5f.z30\Setup3310.exe
        
        C:\Users\Admin\AppData\Local\Temp\bn3yyx5f.z30\Setup3310.exe /Verysilent /subid=623
        5⤵
        
        PID:5100
      - C:\Users\Admin\AppData\Local\Temp\is-2910U.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-2910U.tmp\Setup3310.tmp" /SL5="$A0434,138429,56832,C:\Users\Admin\AppData\Local\Temp\bn3yyx5f.z30\Setup3310.exe" /Verysilent /subid=623
        6⤵
        Suspicious use of FindShellTrayWindow
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\is-FP24F.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-FP24F.tmp\Setup.exe" /Verysilent
        7⤵
        
        PID:7636

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6712

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4652

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3192

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies registry class
PID:5612

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1244

C:\Users\Admin\AppData\Local\Temp\5571.exe
C:\Users\Admin\AppData\Local\Temp\5571.exe
1⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:4948
- C:\Program Files\Windows Defender\MpCmdRun.exe
  "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All -Set-Mp Preference -DisableIOAVProtection $true
  2⤵
  PID:7204
- C:\Windows\System\svchost.exe
  "C:\Windows\System\svchost.exe" formal
  2⤵
  - Drops file in Windows directory
  PID:8116
- - C:\Program Files\Windows Defender\MpCmdRun.exe
    "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All -Set-Mp Preference -DisableIOAVProtection $true
    3⤵
    PID:7308
- - C:\Windows\System\spoolsv.exe
    "C:\Windows\System\spoolsv.exe" --MaxCircuitDirtiness 60 --NewCircuitPeriod 1 --MaxClientCircuitsPending 1024 --OptimisticData 1 --KeepalivePeriod 30 --CircuitBuildTimeout 10 --EnforceDistinctSubnets 0 --HardwareAccel 1 --UseEntryGuards 0
    3⤵
    PID:5220

C:\Users\Admin\AppData\Local\Temp\5CC5.exe
C:\Users\Admin\AppData\Local\Temp\5CC5.exe
1⤵
PID:7544

C:\Users\Admin\AppData\Local\Temp\608F.exe
C:\Users\Admin\AppData\Local\Temp\608F.exe
1⤵
PID:7724

C:\Users\Admin\AppData\Local\Temp\6B0F.exe
C:\Users\Admin\AppData\Local\Temp\6B0F.exe
1⤵
PID:8076

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7388

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:7520

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4304

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:5064

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4756

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:7632

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7624

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:7972

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8112

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2e0
1⤵
PID:7516

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8132
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 8132 -s 1332
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:5808

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8056
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 8056 -s 1400
  2⤵
  - Program crash
  PID:7208

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
1⤵
PID:7412

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4780

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7284
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 7284 -s 2004
  2⤵
  - Program crash
  PID:2100

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Executes dropped EXE
PID:5284

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Executes dropped EXE
PID:5324

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1228

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:6180

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4656

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:8256

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8856

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5764
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5764 -s 1332
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:8224

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:9008

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:8888

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6496

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7524

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:8360

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9016

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9340

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9592

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9820

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9436

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3128

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9648
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 9648 -s 1232
  2⤵
  - Program crash
  PID:9756

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9924

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6820

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4516

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4880
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4880 -s 1324
  2⤵
  - Program crash
  PID:9720

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9612

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4156
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4156 -s 1224
  2⤵
  - Program crash
  PID:9740

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6396

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9928

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9604

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10400

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10664

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery