elysiumstealer | 65fa93616cdb8c92a541dd2ad8468d6688e1b1f2606891b56db3e90fbfc9acbd

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5480097.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5480097.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Cucaculoxi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	keygen-step-4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	google-game.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Xiluzhecozhy.exe

Loads dropped DLL 64 IoCs

pid	Process
3552	rundll32.exe
2716	Install.tmp
4872	installer.exe
4872	installer.exe
4872	installer.exe
5424	MsiExec.exe
5424	MsiExec.exe
5896	MsiExec.exe
5896	MsiExec.exe
4428	rUNdlL32.eXe
5896	MsiExec.exe
5896	MsiExec.exe
5896	MsiExec.exe
5896	MsiExec.exe
5896	MsiExec.exe
5896	MsiExec.exe
5896	MsiExec.exe
5896	MsiExec.exe
4872	installer.exe
5896	MsiExec.exe
5896	MsiExec.exe
5460	MsiExec.exe
5460	MsiExec.exe
5460	MsiExec.exe
5460	MsiExec.exe
5460	MsiExec.exe
5460	MsiExec.exe
5460	MsiExec.exe
6068	toolspab1.exe
5896	MsiExec.exe
2168	installer.exe
2168	installer.exe
2168	installer.exe
5264	MsiExec.exe
5264	MsiExec.exe
5856	702564a0.exe
3576	Setup3310.tmp
3576	Setup3310.tmp
5372	MsiExec.exe
5372	MsiExec.exe
5372	MsiExec.exe
5372	MsiExec.exe
5372	MsiExec.exe
5372	MsiExec.exe
5372	MsiExec.exe
5372	MsiExec.exe
5372	MsiExec.exe
5372	MsiExec.exe
2168	installer.exe
5372	MsiExec.exe
5372	MsiExec.exe
5848	MsiExec.exe
5848	MsiExec.exe
5848	MsiExec.exe
5848	MsiExec.exe
5848	MsiExec.exe
5848	MsiExec.exe
5848	MsiExec.exe
5372	MsiExec.exe
5448	005.exe
5196	Conhost.exe
3832	rUNdlL32.eXe
5332	RunWW.exe
5332	RunWW.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\MSBuild\\Kalaecolapo.exe\""	Ultra.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gaoou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\UltraMediaBurner\\Nawilalufe.exe\""	4_177039.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host Service = "C:\\Windows\\System\\svchost.exe"	183A.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg6_6asg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5480097.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg7_7wjg.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\N:	Setup3310.tmp
File opened (read-only)	\??\W:	Setup3310.tmp
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	Setup3310.tmp
File opened (read-only)	\??\E:	Setup3310.tmp
File opened (read-only)	\??\H:	Setup3310.tmp
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\A:	Setup3310.tmp
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\B:	Setup3310.tmp
File opened (read-only)	\??\T:	Setup3310.tmp
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\O:	Setup3310.tmp
File opened (read-only)	\??\P:	Setup3310.tmp
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\G:	Setup3310.tmp
File opened (read-only)	\??\Q:	Setup3310.tmp
File opened (read-only)	\??\U:	Setup3310.tmp
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	Setup3310.tmp
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\V:	Setup3310.tmp
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\J:	installer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
68	ip-api.com
207	ipinfo.io
210	ipinfo.io
309	ip-api.com
500	ipinfo.io
502	ipinfo.io

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #1	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #5	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #6	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 8F39B242D864D1FE	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedUpdater	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #2	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #3	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 276C04E8BD707D6C	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3448	5480097.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 3292 set thread context of 2960	3292	svchost.exe	80
PID 3292 set thread context of 2456	3292	svchost.exe	88
PID 4232 set thread context of 6068	4232	toolspab1.exe	142
PID 4464 set thread context of 992	4464	dp81GdX0OrCQ.exe	213
PID 6972 set thread context of 4444	6972	toolspab1.exe	274
PID 6384 set thread context of 1356	6384	wdejghe	317
PID 5952 set thread context of 3192	5952	wdejghe	330
PID 1640 set thread context of 6124	1640	35BB.exe	339
PID 10100 set thread context of 9700	10100	wdejghe	347

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\UltraMediaBurner\is-8A0I8.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\MSBuild\Kalaecolapo.exe	Ultra.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File created	C:\Program Files (x86)\recording\unins000.dat	irecord.tmp
File created	C:\Program Files (x86)\recording\is-SS7MQ.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-0G5LE.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-T2APF.tmp	irecord.tmp
File created	C:\Program Files\install.dat	xiuhuali.exe
File created	C:\Program Files\install.dll	xiuhuali.exe
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\jg7_7wjg.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\recording\i-record.exe	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\AForge.Video.FFMPEG.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\swscale-2.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe	Setup.exe
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files\7-Zip\XXAQELTLBR\irecord.exe	4_177039.exe
File created	C:\Program Files (x86)\recording\is-B1HGQ.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-1TLIF.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\askinstall38.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe	Setup.exe
File created	C:\Program Files (x86)\Data Finder\Versium Research\Uninstall.ini	Setup.exe
File opened for modification	C:\Program Files (x86)\recording\avdevice-53.dll	irecord.tmp
File created	C:\Program Files (x86)\recording\is-GFJUI.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\d	jg7_7wjg.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\MSBuild\Kalaecolapo.exe.config	Ultra.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\recording\avfilter-2.dll	irecord.tmp
File created	C:\Program Files (x86)\recording\is-2UVSD.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File opened for modification	C:\Program Files (x86)\recording\AForge.Video.dll	irecord.tmp
File created	C:\Program Files (x86)\recording\is-C40N3.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File created	C:\Program Files\7-Zip\XXAQELTLBR\irecord.exe.config	4_177039.exe
File opened for modification	C:\Program Files (x86)\recording\avformat-53.dll	irecord.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\Nawilalufe.exe	4_177039.exe
File created	C:\Program Files (x86)\recording\is-V4BG0.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\d.INTEG.RAW	jg7_7wjg.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File opened for modification	C:\Program Files (x86)\recording\Bunifu_UI_v1.52.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\avcodec-53.dll	irecord.tmp
File created	C:\Program Files (x86)\recording\is-2QM3Q.tmp	irecord.tmp
File created	C:\Program Files\Reference Assemblies\SFLFKNWVEU\ultramediaburner.exe.config	Ultra.exe
File created	C:\Program Files (x86)\recording\is-MV5I9.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\avutil-51.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\swresample-0.dll	irecord.tmp
File created	C:\Program Files (x86)\Data Finder\Versium Research\d	jg7_7wjg.exe
File created	C:\Program Files (x86)\Data Finder\Versium Research\tmp.edb	jg7_7wjg.exe
File created	C:\Program Files (x86)\Data Finder\Versium Research\d.jfm	jg7_7wjg.exe
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\recording\postproc-52.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\unins000.exe	irecord.tmp
File created	C:\Program Files (x86)\recording\is-8IOJU.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-KG235.tmp	irecord.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-TV7VG.tmp	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\Uninstall.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\recording\unins000.dat	irecord.tmp
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\d.jfm	jg7_7wjg.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File created	C:\Program Files (x86)\recording\is-PH681.tmp	irecord.tmp

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI45F3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI739C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8297.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8E80.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI37F0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5EB9.tmp	msiexec.exe
File opened for modification	C:\Windows\System\libgcc_s_sjlj-1.dll	svchost.exe
File opened for modification	C:\Windows\Installer\MSI846D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5D51.tmp	msiexec.exe
File created	C:\Windows\System\xxx1.bak	183A.exe
File opened for modification	C:\Windows\System\svchost.exe	183A.exe
File opened for modification	C:\Windows\System\libcrypto-1_1.dll	svchost.exe
File opened for modification	C:\Windows\Installer\MSI41CA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICFE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\System\spoolsv.tar	svchost.exe
File opened for modification	C:\Windows\Installer\MSI8847.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8D65.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9F41.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3697.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI42B5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7900.tmp	msiexec.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI387E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4BE0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6093.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6005.tmp	msiexec.exe
File opened for modification	C:\Windows\System\libssp-0.dll	svchost.exe
File opened for modification	C:\Windows\Installer\MSI78A1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5B58.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA574.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C16.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6752.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA39B.tmp	msiexec.exe
File opened for modification	C:\Windows\System\libevent-2-1-7.dll	svchost.exe
File opened for modification	C:\Windows\Installer\MSI8913.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI955A.tmp	msiexec.exe
File created	C:\Windows\System\svchost.exe	183A.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8DE3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9440.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA3CB.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI64AE.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSI976F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI39F7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI93F1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI48A1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4A0A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI96A3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5EE9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6401.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI77C5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI139A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI490F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8B8D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9373.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6703.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI87B4.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA2DE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5D02.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5468	4052	WerFault.exe	199
2956	296	WerFault.exe	312

Checks SCSI registry key(s) 3 TTPs 30 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wdejghe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	siejghe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	siejghe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	siejghe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	siejghe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	702564a0.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	siejghe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wdejghe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wdejghe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	702564a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wdejghe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wdejghe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	702564a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wdejghe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wdejghe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	702564a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	702564a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	siejghe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	siejghe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wdejghe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	siejghe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wdejghe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	702564a0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	siejghe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RunWW.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RunWW.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
6584	timeout.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
2188	taskkill.exe
4372	taskkill.exe
4292	taskkill.exe
5028	taskkill.exe
844	taskkill.exe
6580	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	app.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	app.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	app.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	app.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\specimen.netflowcorp.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164C = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "171"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\propapps.info\Total = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\reckless.netflowcorp.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdom = "70"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 61c6a8330d4cd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\propapps.info\Total = "18"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\sickness.netflowcorp.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "328141383"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\sms.netflowcorp.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\declaration.netflowcorp.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\moment.netflowcorp.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\declaration.netflowcorp.com = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\addicted.netflowcorp.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\presence.netflowcorp.com	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f4562dbb0d4cd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = fce12f130e4cd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "190"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\propapps.info\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.google.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\read.netflowcorp.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\memo.netflowcorp.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\note.netflowcorp.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\conflict.netflowcorp.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\read.netflowcorp.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdom = "10"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\note.netflowcorp.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\password.netflowcorp.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\message.netflowcorp.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\new.netflowcorp.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\acnav.online\NumberOfSubdom = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{04BCBF3C-EAF8-4E75-A858-804E41367F62} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\Total = "9"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\big.netflowcorp.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\minimize.netflowcorp.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\strength.netflowcorp.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\tropical.netflowcorp.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\readnow.netflowcorp.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdom = "79"	MicrosoftEdgeCP.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	filee.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	filee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
4324	PING.EXE
5124	PING.EXE
4624	PING.EXE

Script User-Agent 16 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	518	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	520	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	208	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	323	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	228	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	514	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	517	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	216	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	224	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	501	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	502	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	504	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	515	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	210	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	222	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	313	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3552	rundll32.exe
3552	rundll32.exe
3292	svchost.exe
3292	svchost.exe
1852	ultramediaburner.tmp
1852	ultramediaburner.tmp
3292	svchost.exe
3292	svchost.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe
4144	Sazhilegiqi.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3036	Process not Found

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
6068	toolspab1.exe
5856	702564a0.exe
6572	MicrosoftEdgeCP.exe
6572	MicrosoftEdgeCP.exe
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
6824	explorer.exe
6824	explorer.exe
6824	explorer.exe
6824	explorer.exe
6824	explorer.exe
6824	explorer.exe
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
6424	explorer.exe
6424	explorer.exe
6424	explorer.exe
6424	explorer.exe
6424	explorer.exe
6424	explorer.exe
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
6164	explorer.exe
6164	explorer.exe
6164	explorer.exe
6164	explorer.exe
6164	explorer.exe
6164	explorer.exe
3036	Process not Found
3036	Process not Found
4444	toolspab1.exe
6424	explorer.exe
6424	explorer.exe
6824	explorer.exe
6824	explorer.exe
6164	explorer.exe
6164	explorer.exe
6424	explorer.exe
6424	explorer.exe
6164	explorer.exe
6164	explorer.exe
6824	explorer.exe
6824	explorer.exe
3884	702564a0.exe
6824	explorer.exe
6824	explorer.exe
6164	explorer.exe
6164	explorer.exe
6424	explorer.exe
6424	explorer.exe
6572	MicrosoftEdgeCP.exe
6572	MicrosoftEdgeCP.exe
6164	explorer.exe
6164	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3552	rundll32.exe
Token: SeTcbPrivilege	3292	svchost.exe
Token: SeDebugPrivilege	3552	rundll32.exe
Token: SeDebugPrivilege	3552	rundll32.exe
Token: SeDebugPrivilege	3552	rundll32.exe
Token: SeDebugPrivilege	3552	rundll32.exe
Token: SeDebugPrivilege	3552	rundll32.exe
Token: SeDebugPrivilege	4060	JoSetp.exe
Token: SeDebugPrivilege	3552	rundll32.exe
Token: SeDebugPrivilege	3552	rundll32.exe
Token: SeDebugPrivilege	3552	rundll32.exe
Token: SeDebugPrivilege	3552	rundll32.exe
Token: SeDebugPrivilege	3552	rundll32.exe
Token: SeDebugPrivilege	3552	rundll32.exe
Token: SeDebugPrivilege	3552	rundll32.exe
Token: SeDebugPrivilege	2764	Ultra.exe
Token: SeTcbPrivilege	3292	svchost.exe
Token: SeAuditPrivilege	2424	svchost.exe
Token: SeDebugPrivilege	3860	Cucaculoxi.exe
Token: SeDebugPrivilege	4144	Sazhilegiqi.exe
Token: SeAssignPrimaryTokenPrivilege	2724	svchost.exe
Token: SeIncreaseQuotaPrivilege	2724	svchost.exe
Token: SeSecurityPrivilege	2724	svchost.exe
Token: SeTakeOwnershipPrivilege	2724	svchost.exe
Token: SeLoadDriverPrivilege	2724	svchost.exe
Token: SeSystemtimePrivilege	2724	svchost.exe
Token: SeBackupPrivilege	2724	svchost.exe
Token: SeRestorePrivilege	2724	svchost.exe
Token: SeShutdownPrivilege	2724	svchost.exe
Token: SeSystemEnvironmentPrivilege	2724	svchost.exe
Token: SeUndockPrivilege	2724	svchost.exe
Token: SeManageVolumePrivilege	2724	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2724	svchost.exe
Token: SeIncreaseQuotaPrivilege	2724	svchost.exe
Token: SeSecurityPrivilege	2724	svchost.exe
Token: SeTakeOwnershipPrivilege	2724	svchost.exe
Token: SeLoadDriverPrivilege	2724	svchost.exe
Token: SeSystemtimePrivilege	2724	svchost.exe
Token: SeBackupPrivilege	2724	svchost.exe
Token: SeRestorePrivilege	2724	svchost.exe
Token: SeShutdownPrivilege	2724	svchost.exe
Token: SeSystemEnvironmentPrivilege	2724	svchost.exe
Token: SeUndockPrivilege	2724	svchost.exe
Token: SeManageVolumePrivilege	2724	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2724	svchost.exe
Token: SeIncreaseQuotaPrivilege	2724	svchost.exe
Token: SeSecurityPrivilege	2724	svchost.exe
Token: SeTakeOwnershipPrivilege	2724	svchost.exe
Token: SeLoadDriverPrivilege	2724	svchost.exe
Token: SeSystemtimePrivilege	2724	svchost.exe
Token: SeBackupPrivilege	2724	svchost.exe
Token: SeRestorePrivilege	2724	svchost.exe
Token: SeShutdownPrivilege	2724	svchost.exe
Token: SeSystemEnvironmentPrivilege	2724	svchost.exe
Token: SeUndockPrivilege	2724	svchost.exe
Token: SeManageVolumePrivilege	2724	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2724	svchost.exe
Token: SeIncreaseQuotaPrivilege	2724	svchost.exe
Token: SeSecurityPrivilege	2724	svchost.exe
Token: SeTakeOwnershipPrivilege	2724	svchost.exe
Token: SeLoadDriverPrivilege	2724	svchost.exe
Token: SeSystemtimePrivilege	2724	svchost.exe
Token: SeBackupPrivilege	2724	svchost.exe
Token: SeRestorePrivilege	2724	svchost.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
1852	ultramediaburner.tmp
4872	installer.exe
2168	installer.exe
3576	Setup3310.tmp
3036	Process not Found
3036	Process not Found
2280	irecord.tmp
4200	Setup3310.tmp
4940	installer.exe
4200	Setup3310.tmp

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2168	xiuhuali.exe
2168	xiuhuali.exe
4728	MicrosoftEdge.exe
5052	MicrosoftEdgeCP.exe
5052	MicrosoftEdgeCP.exe
3296	609F.exe
4312	MicrosoftEdge.exe
6572	MicrosoftEdgeCP.exe
6572	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3036	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 2168	3992	keygen-step-4.exe	75
PID 3992 wrote to memory of 2168	3992	keygen-step-4.exe	75
PID 3992 wrote to memory of 2168	3992	keygen-step-4.exe	75
PID 2168 wrote to memory of 3552	2168	xiuhuali.exe	77
PID 2168 wrote to memory of 3552	2168	xiuhuali.exe	77
PID 2168 wrote to memory of 3552	2168	xiuhuali.exe	77
PID 3992 wrote to memory of 4060	3992	keygen-step-4.exe	79
PID 3992 wrote to memory of 4060	3992	keygen-step-4.exe	79
PID 3552 wrote to memory of 3292	3552	rundll32.exe	71
PID 3552 wrote to memory of 2852	3552	rundll32.exe	25
PID 3292 wrote to memory of 2960	3292	svchost.exe	80
PID 3292 wrote to memory of 2960	3292	svchost.exe	80
PID 3292 wrote to memory of 2960	3292	svchost.exe	80
PID 3552 wrote to memory of 68	3552	rundll32.exe	61
PID 3552 wrote to memory of 2432	3552	rundll32.exe	32
PID 3552 wrote to memory of 2424	3552	rundll32.exe	33
PID 3552 wrote to memory of 1064	3552	rundll32.exe	56
PID 3552 wrote to memory of 676	3552	rundll32.exe	58
PID 3552 wrote to memory of 1404	3552	rundll32.exe	49
PID 3552 wrote to memory of 1820	3552	rundll32.exe	41
PID 3552 wrote to memory of 1184	3552	rundll32.exe	9
PID 3552 wrote to memory of 1224	3552	rundll32.exe	52
PID 3552 wrote to memory of 2724	3552	rundll32.exe	26
PID 3552 wrote to memory of 2740	3552	rundll32.exe	13
PID 3992 wrote to memory of 3180	3992	keygen-step-4.exe	81
PID 3992 wrote to memory of 3180	3992	keygen-step-4.exe	81
PID 3992 wrote to memory of 3180	3992	keygen-step-4.exe	81
PID 3180 wrote to memory of 2716	3180	Install.exe	82
PID 3180 wrote to memory of 2716	3180	Install.exe	82
PID 3180 wrote to memory of 2716	3180	Install.exe	82
PID 2716 wrote to memory of 2764	2716	Install.tmp	83
PID 2716 wrote to memory of 2764	2716	Install.tmp	83
PID 2764 wrote to memory of 1636	2764	Ultra.exe	86
PID 2764 wrote to memory of 1636	2764	Ultra.exe	86
PID 2764 wrote to memory of 1636	2764	Ultra.exe	86
PID 1636 wrote to memory of 1852	1636	ultramediaburner.exe	87
PID 1636 wrote to memory of 1852	1636	ultramediaburner.exe	87
PID 1636 wrote to memory of 1852	1636	ultramediaburner.exe	87
PID 2764 wrote to memory of 3860	2764	Ultra.exe	89
PID 2764 wrote to memory of 3860	2764	Ultra.exe	89
PID 3292 wrote to memory of 2456	3292	svchost.exe	88
PID 3292 wrote to memory of 2456	3292	svchost.exe	88
PID 3292 wrote to memory of 2456	3292	svchost.exe	88
PID 1852 wrote to memory of 3472	1852	ultramediaburner.tmp	90
PID 1852 wrote to memory of 3472	1852	ultramediaburner.tmp	90
PID 2764 wrote to memory of 4144	2764	Ultra.exe	91
PID 2764 wrote to memory of 4144	2764	Ultra.exe	91
PID 3992 wrote to memory of 4288	3992	keygen-step-4.exe	93
PID 3992 wrote to memory of 4288	3992	keygen-step-4.exe	93
PID 3992 wrote to memory of 4288	3992	keygen-step-4.exe	93
PID 4144 wrote to memory of 4924	4144	Sazhilegiqi.exe	98
PID 4144 wrote to memory of 4924	4144	Sazhilegiqi.exe	98
PID 4924 wrote to memory of 5036	4924	cmd.exe	100
PID 4924 wrote to memory of 5036	4924	cmd.exe	100
PID 4924 wrote to memory of 5036	4924	cmd.exe	100
PID 4288 wrote to memory of 2756	4288	filee.exe	101
PID 4288 wrote to memory of 2756	4288	filee.exe	101
PID 4288 wrote to memory of 2756	4288	filee.exe	101
PID 4144 wrote to memory of 3392	4144	Sazhilegiqi.exe	103
PID 4144 wrote to memory of 3392	4144	Sazhilegiqi.exe	103
PID 2756 wrote to memory of 4324	2756	cmd.exe	105
PID 2756 wrote to memory of 4324	2756	cmd.exe	105
PID 2756 wrote to memory of 4324	2756	cmd.exe	105
PID 3392 wrote to memory of 4872	3392	cmd.exe	106

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1184

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2740

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2852

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2724

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2432

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2424

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1820

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1404

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1224

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1064

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:676
- C:\Users\Admin\AppData\Roaming\siejghe
  C:\Users\Admin\AppData\Roaming\siejghe
  2⤵
  - Checks SCSI registry key(s)
  PID:2960
- C:\Users\Admin\AppData\Roaming\wdejghe
  C:\Users\Admin\AppData\Roaming\wdejghe
  2⤵
  - Suspicious use of SetThreadContext
  PID:6384
- - C:\Users\Admin\AppData\Roaming\wdejghe
    C:\Users\Admin\AppData\Roaming\wdejghe
    3⤵
    - Checks SCSI registry key(s)
    PID:1356
- C:\Users\Admin\AppData\Roaming\siejghe
  C:\Users\Admin\AppData\Roaming\siejghe
  2⤵
  - Checks SCSI registry key(s)
  PID:1500
- C:\Users\Admin\AppData\Roaming\wdejghe
  C:\Users\Admin\AppData\Roaming\wdejghe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5952
- - C:\Users\Admin\AppData\Roaming\wdejghe
    C:\Users\Admin\AppData\Roaming\wdejghe
    3⤵
    - Checks SCSI registry key(s)
    PID:3192
- C:\Users\Admin\AppData\Roaming\siejghe
  C:\Users\Admin\AppData\Roaming\siejghe
  2⤵
  - Checks SCSI registry key(s)
  PID:9888
- C:\Users\Admin\AppData\Roaming\wdejghe
  C:\Users\Admin\AppData\Roaming\wdejghe
  2⤵
  - Suspicious use of SetThreadContext
  PID:10100
- - C:\Users\Admin\AppData\Roaming\wdejghe
    C:\Users\Admin\AppData\Roaming\wdejghe
    3⤵
    - Checks SCSI registry key(s)
    PID:9700

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:68

C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3552
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4060
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3180
- - C:\Users\Admin\AppData\Local\Temp\is-LN4OT.tmp\Install.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-LN4OT.tmp\Install.tmp" /SL5="$40146,235791,152064,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Users\Admin\AppData\Local\Temp\is-HK97U.tmp\Ultra.exe
      "C:\Users\Admin\AppData\Local\Temp\is-HK97U.tmp\Ultra.exe" /S /UID=burnerch1
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Program Files\Reference Assemblies\SFLFKNWVEU\ultramediaburner.exe
        
        "C:\Program Files\Reference Assemblies\SFLFKNWVEU\ultramediaburner.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1636
      - C:\Users\Admin\AppData\Local\Temp\is-PCMQQ.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-PCMQQ.tmp\ultramediaburner.tmp" /SL5="$201D6,281924,62464,C:\Program Files\Reference Assemblies\SFLFKNWVEU\ultramediaburner.exe" /VERYSILENT
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        7⤵
        Executes dropped EXE
        
        PID:3472
    - - C:\Users\Admin\AppData\Local\Temp\25-95b40-068-be2b0-4ea4a726e2da3\Cucaculoxi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\25-95b40-068-be2b0-4ea4a726e2da3\Cucaculoxi.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3860
    - - C:\Users\Admin\AppData\Local\Temp\ab-20652-cb3-3f998-c16c318c3fa14\Sazhilegiqi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ab-20652-cb3-3f998-c16c318c3fa14\Sazhilegiqi.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4144
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s553volp.pac\001.exe & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\s553volp.pac\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\s553volp.pac\001.exe
        7⤵
        Executes dropped EXE
        
        PID:5036
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gv0hsr3i.bjk\installer.exe /qn CAMPAIGN="654" & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\gv0hsr3i.bjk\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\gv0hsr3i.bjk\installer.exe /qn CAMPAIGN="654"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        
        PID:4872
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\gv0hsr3i.bjk\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\gv0hsr3i.bjk\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1621100367 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        8⤵
        
        PID:5444
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3ickc32s.asr\hbggg.exe & exit
        6⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\3ickc32s.asr\hbggg.exe
        
        C:\Users\Admin\AppData\Local\Temp\3ickc32s.asr\hbggg.exe
        7⤵
        Executes dropped EXE
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        Executes dropped EXE
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        Executes dropped EXE
        
        PID:6028
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:7404
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:5776
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\irbhm5qp.wa1\google-game.exe & exit
        6⤵
        
        PID:5784
        
        C:\Users\Admin\AppData\Local\Temp\irbhm5qp.wa1\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\irbhm5qp.wa1\google-game.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:5936
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setuser
        8⤵
        Loads dropped DLL
        
        PID:4428
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zkpnx2yf.rti\setup.exe & exit
        6⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\zkpnx2yf.rti\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\zkpnx2yf.rti\setup.exe
        7⤵
        Executes dropped EXE
        
        PID:5948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\zkpnx2yf.rti\setup.exe"
        8⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        9⤵
        Runs ping.exe
        
        PID:5124
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lnqj5vgc.1zu\customer1.exe & exit
        6⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\lnqj5vgc.1zu\customer1.exe
        
        C:\Users\Admin\AppData\Local\Temp\lnqj5vgc.1zu\customer1.exe
        7⤵
        Executes dropped EXE
        
        PID:5608
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        Executes dropped EXE
        
        PID:5804
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        Executes dropped EXE
        
        PID:5392
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:7308
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\50rmamqx.kqv\toolspab1.exe & exit
        6⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\50rmamqx.kqv\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\50rmamqx.kqv\toolspab1.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\50rmamqx.kqv\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\50rmamqx.kqv\toolspab1.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:6068
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cpf2m5y1.ayw\GcleanerWW.exe /mixone & exit
        6⤵
        
        PID:1080
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\t3u2yo5z.3cd\005.exe & exit
        6⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\t3u2yo5z.3cd\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\t3u2yo5z.3cd\005.exe
        7⤵
        Executes dropped EXE
        
        PID:4880
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kkqgjqtj.11q\installer.exe /qn CAMPAIGN="654" & exit
        6⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\kkqgjqtj.11q\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\kkqgjqtj.11q\installer.exe /qn CAMPAIGN="654"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious use of FindShellTrayWindow
        
        PID:2168
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\kkqgjqtj.11q\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\kkqgjqtj.11q\ EXE_CMD_LINE="/forcecleanup /wintime 1621100367 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        8⤵
        
        PID:3220
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\veyd4mnu.z3s\702564a0.exe & exit
        6⤵
        
        PID:5524
        
        C:\Users\Admin\AppData\Local\Temp\veyd4mnu.z3s\702564a0.exe
        
        C:\Users\Admin\AppData\Local\Temp\veyd4mnu.z3s\702564a0.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:5856
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\btbpi4c3.ija\app.exe /8-2222 & exit
        6⤵
        
        PID:5400
        
        C:\Users\Admin\AppData\Local\Temp\btbpi4c3.ija\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\btbpi4c3.ija\app.exe /8-2222
        7⤵
        Executes dropped EXE
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\btbpi4c3.ija\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\btbpi4c3.ija\app.exe" /8-2222
        8⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:4820
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\d2z1i3md.e3q\Setup3310.exe /Verysilent /subid=623 & exit
        6⤵
        
        PID:5628
        
        C:\Users\Admin\AppData\Local\Temp\d2z1i3md.e3q\Setup3310.exe
        
        C:\Users\Admin\AppData\Local\Temp\d2z1i3md.e3q\Setup3310.exe /Verysilent /subid=623
        7⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\is-MQVUB.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-MQVUB.tmp\Setup3310.tmp" /SL5="$3036A,138429,56832,C:\Users\Admin\AppData\Local\Temp\d2z1i3md.e3q\Setup3310.exe" /Verysilent /subid=623
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\is-U6C08.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-U6C08.tmp\Setup.exe" /Verysilent
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3908
        
        C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4464
        
        C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe"
        11⤵
        Executes dropped EXE
        
        PID:992
        
        C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:5332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit
        11⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im RunWW.exe /f
        12⤵
        Kills process with taskkill
        
        PID:5028
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        12⤵
        Delays execution with timeout.exe
        
        PID:6584
        
        C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
        10⤵
        Executes dropped EXE
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\is-GBBTK.tmp\LabPicV3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-GBBTK.tmp\LabPicV3.tmp" /SL5="$303B2,506127,422400,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
        11⤵
        
        PID:5448
        
        C:\Users\Admin\AppData\Local\Temp\is-AFUSC.tmp\3316505.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-AFUSC.tmp\3316505.exe" /S /UID=lab214
        12⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:5668
        
        C:\Program Files (x86)\Data Finder\Versium Research\askinstall38.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\askinstall38.exe"
        10⤵
        Executes dropped EXE
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        11⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        12⤵
        Kills process with taskkill
        
        PID:4292
        
        C:\Program Files (x86)\Data Finder\Versium Research\jg7_7wjg.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\jg7_7wjg.exe"
        10⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        
        PID:5748
        
        C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
        10⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\is-B43SB.tmp\lylal220.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-B43SB.tmp\lylal220.tmp" /SL5="$503A2,237286,153600,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
        11⤵
        
        PID:5196
        
        C:\Users\Admin\AppData\Local\Temp\is-HEI65.tmp\4_177039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-HEI65.tmp\4_177039.exe" /S /UID=lylal220
        12⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:4680
        
        C:\Program Files\7-Zip\XXAQELTLBR\irecord.exe
        
        "C:\Program Files\7-Zip\XXAQELTLBR\irecord.exe" /VERYSILENT
        13⤵
        Executes dropped EXE
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\is-98TUG.tmp\irecord.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-98TUG.tmp\irecord.tmp" /SL5="$501FA,6139911,56832,C:\Program Files\7-Zip\XXAQELTLBR\irecord.exe" /VERYSILENT
        14⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:2280
        
        C:\Program Files (x86)\recording\i-record.exe
        
        "C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu
        15⤵
        Executes dropped EXE
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\d7-9f075-c5e-53981-349c2d6af9ff5\Xiluzhecozhy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d7-9f075-c5e-53981-349c2d6af9ff5\Xiluzhecozhy.exe"
        13⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:5428
        
        C:\Users\Admin\AppData\Local\Temp\fd-573c4-b27-4afa9-231c711d83fb7\Gaesojahure.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fd-573c4-b27-4afa9-231c711d83fb7\Gaesojahure.exe"
        13⤵
        Executes dropped EXE
        
        PID:5180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\f4xs5wgm.gyp\001.exe & exit
        14⤵
        
        PID:5972
        
        C:\Users\Admin\AppData\Local\Temp\f4xs5wgm.gyp\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\f4xs5wgm.gyp\001.exe
        15⤵
        
        PID:4888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b0nx0npz.k4i\installer.exe /qn CAMPAIGN="654" & exit
        14⤵
        
        PID:4760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5196
        
        C:\Users\Admin\AppData\Local\Temp\b0nx0npz.k4i\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\b0nx0npz.k4i\installer.exe /qn CAMPAIGN="654"
        15⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\b0nx0npz.k4i\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\b0nx0npz.k4i\ EXE_CMD_LINE="/forcecleanup /wintime 1621100367 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        16⤵
        
        PID:6480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0vg5m1nl.tut\hbggg.exe & exit
        14⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\0vg5m1nl.tut\hbggg.exe
        
        C:\Users\Admin\AppData\Local\Temp\0vg5m1nl.tut\hbggg.exe
        15⤵
        
        PID:6204
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        16⤵
        
        PID:6452
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        16⤵
        
        PID:6900
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        16⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        16⤵
        
        PID:7528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tizfikwu.jlu\google-game.exe & exit
        14⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\tizfikwu.jlu\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\tizfikwu.jlu\google-game.exe
        15⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setuser
        16⤵
        
        PID:3160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\smh30qga.u35\setup.exe & exit
        14⤵
        
        PID:6456
        
        C:\Users\Admin\AppData\Local\Temp\smh30qga.u35\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\smh30qga.u35\setup.exe
        15⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\smh30qga.u35\setup.exe"
        16⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        17⤵
        Runs ping.exe
        
        PID:4624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g4ftdego.q5z\customer1.exe & exit
        14⤵
        Executes dropped EXE
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\g4ftdego.q5z\customer1.exe
        
        C:\Users\Admin\AppData\Local\Temp\g4ftdego.q5z\customer1.exe
        15⤵
        
        PID:7056
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        16⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        16⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        16⤵
        
        PID:7292
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        16⤵
        
        PID:1548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bvp252jr.ykl\toolspab1.exe & exit
        14⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\bvp252jr.ykl\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\bvp252jr.ykl\toolspab1.exe
        15⤵
        Suspicious use of SetThreadContext
        
        PID:6972
        
        C:\Users\Admin\AppData\Local\Temp\bvp252jr.ykl\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\bvp252jr.ykl\toolspab1.exe
        16⤵
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:4444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5f4so4fs.lh4\GcleanerWW.exe /mixone & exit
        14⤵
        
        PID:6332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ahjchds3.3si\005.exe & exit
        14⤵
        
        PID:5972
        
        C:\Users\Admin\AppData\Local\Temp\ahjchds3.3si\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\ahjchds3.3si\005.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2rbdfaey.u1j\installer.exe /qn CAMPAIGN="654" & exit
        14⤵
        
        PID:5368
        
        C:\Users\Admin\AppData\Local\Temp\2rbdfaey.u1j\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\2rbdfaey.u1j\installer.exe /qn CAMPAIGN="654"
        15⤵
        Enumerates connected drives
        Suspicious use of FindShellTrayWindow
        
        PID:4940
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\2rbdfaey.u1j\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\2rbdfaey.u1j\ EXE_CMD_LINE="/forcecleanup /wintime 1621100367 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        16⤵
        
        PID:6420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yrfqw3dt.o3k\702564a0.exe & exit
        14⤵
        Blocklisted process makes network request
        Executes dropped EXE
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\yrfqw3dt.o3k\702564a0.exe
        
        C:\Users\Admin\AppData\Local\Temp\yrfqw3dt.o3k\702564a0.exe
        15⤵
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:3884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zeoblxl5.uqz\app.exe /8-2222 & exit
        14⤵
        
        PID:3356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        Executes dropped EXE
        
        PID:6020
        
        C:\Users\Admin\AppData\Local\Temp\zeoblxl5.uqz\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\zeoblxl5.uqz\app.exe /8-2222
        15⤵
        
        PID:6928
        
        C:\Users\Admin\AppData\Local\Temp\zeoblxl5.uqz\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zeoblxl5.uqz\app.exe" /8-2222
        16⤵
        Modifies data under HKEY_USERS
        
        PID:1880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5x5gwher.crc\Setup3310.exe /Verysilent /subid=623 & exit
        14⤵
        
        PID:6808
        
        C:\Users\Admin\AppData\Local\Temp\5x5gwher.crc\Setup3310.exe
        
        C:\Users\Admin\AppData\Local\Temp\5x5gwher.crc\Setup3310.exe /Verysilent /subid=623
        15⤵
        
        PID:6596
        
        C:\Users\Admin\AppData\Local\Temp\is-82JT2.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-82JT2.tmp\Setup3310.tmp" /SL5="$70470,138429,56832,C:\Users\Admin\AppData\Local\Temp\5x5gwher.crc\Setup3310.exe" /Verysilent /subid=623
        16⤵
        Enumerates connected drives
        Suspicious use of FindShellTrayWindow
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\is-K3DG8.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-K3DG8.tmp\Setup.exe" /Verysilent
        17⤵
        Drops file in Program Files directory
        
        PID:4744
        
        C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"
        10⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
        11⤵
        Loads dropped DLL
        
        PID:3832
        
        C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe"
        10⤵
        Executes dropped EXE
        
        PID:5392
        
        C:\Users\Admin\AppData\Roaming\3298972.exe
        
        "C:\Users\Admin\AppData\Roaming\3298972.exe"
        11⤵
        Executes dropped EXE
        
        PID:4256
        
        C:\Users\Admin\AppData\Roaming\2548499.exe
        
        "C:\Users\Admin\AppData\Roaming\2548499.exe"
        11⤵
        
        PID:4324
        
        C:\ProgramData\Windows Host\Windows Host.exe
        
        "C:\ProgramData\Windows Host\Windows Host.exe"
        12⤵
        Executes dropped EXE
        
        PID:4824
        
        C:\Users\Admin\AppData\Roaming\5480097.exe
        
        "C:\Users\Admin\AppData\Roaming\5480097.exe"
        11⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3448
        
        C:\Users\Admin\AppData\Roaming\2889215.exe
        
        "C:\Users\Admin\AppData\Roaming\2889215.exe"
        11⤵
        Executes dropped EXE
        
        PID:4052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 1940
        12⤵
        Drops file in Windows directory
        Program crash
        
        PID:5468
        
        C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"
        10⤵
        Executes dropped EXE
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        11⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        11⤵
        Executes dropped EXE
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        11⤵
        
        PID:6188
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        11⤵
        
        PID:4028
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe" >> NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:4324
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  PID:4928
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5700
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    PID:6088
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    PID:5788
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    PID:580
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    PID:2264

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:2960
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:2456

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4728

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4828

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5052

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4800

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5164

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:5156
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D7DEF1FD6EE30F073481B3291C833B92 C
  2⤵
  - Loads dropped DLL
  PID:5424
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C1E5665A868543128306906FDA6AB4F0
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:5896
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:2188
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BFD60357CF001D17D81AD1A080631AD8 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:5460
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 40ACF6CFD921E583E4AEC43727486C80 C
  2⤵
  - Loads dropped DLL
  PID:5264
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B962420A81DA5BC49094551A23E4E829
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:5372
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:4372
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 35F469329207CAAB4E2080F8C1F1E032 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:5848
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding EDCAFCEC10791EF8F759801DF3A99EF3 C
  2⤵
  PID:6176
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0C43129E60EF442A2233BC2475748464
  2⤵
  - Blocklisted process makes network request
  PID:6048
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:844
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4948
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A2F0802D209EAFC209BA64EB6920B06D E Global\MSI0000
  2⤵
  PID:6296
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 422DADA362AFC3E8405A08931DBB1044 C
  2⤵
  PID:5472
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FE8A9E9A6486B64AEE4C4A6B85B52289
  2⤵
  - Blocklisted process makes network request
  PID:5284
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:6580
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A37B7C8D89D50CC1174E2157062D8E48 E Global\MSI0000
  2⤵
  PID:740

C:\Users\Admin\AppData\Local\Temp\609F.exe
C:\Users\Admin\AppData\Local\Temp\609F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3296

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:2192

C:\Users\Admin\AppData\Local\Temp\9FCC.exe
C:\Users\Admin\AppData\Local\Temp\9FCC.exe
1⤵
PID:4620

C:\Users\Admin\AppData\Local\Temp\AA2D.exe
C:\Users\Admin\AppData\Local\Temp\AA2D.exe
1⤵
- Executes dropped EXE
PID:2960

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4312

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4980

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:6572

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6828

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6860

C:\Users\Admin\AppData\Local\Temp\183A.exe
C:\Users\Admin\AppData\Local\Temp\183A.exe
1⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:6728
- C:\Program Files\Windows Defender\MpCmdRun.exe
  "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All -Set-Mp Preference -DisableIOAVProtection $true
  2⤵
  PID:6152
- C:\Windows\System\svchost.exe
  "C:\Windows\System\svchost.exe" formal
  2⤵
  - Drops file in Windows directory
  PID:4172
- - C:\Program Files\Windows Defender\MpCmdRun.exe
    "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All -Set-Mp Preference -DisableIOAVProtection $true
    3⤵
    PID:5696
- - C:\Windows\System\spoolsv.exe
    "C:\Windows\System\spoolsv.exe" --MaxCircuitDirtiness 60 --NewCircuitPeriod 1 --MaxClientCircuitsPending 1024 --OptimisticData 1 --KeepalivePeriod 30 --CircuitBuildTimeout 10 --EnforceDistinctSubnets 0 --HardwareAccel 1 --UseEntryGuards 0
    3⤵
    PID:6600
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6152

C:\Users\Admin\AppData\Local\Temp\1DD9.exe
C:\Users\Admin\AppData\Local\Temp\1DD9.exe
1⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\21E1.exe
C:\Users\Admin\AppData\Local\Temp\21E1.exe
1⤵
PID:6452

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3856

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5080

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4324

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:6824

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2324

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:6424

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6632

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:6164

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6544

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5940

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6708

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5216

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7460

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:296
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 296 -s 1932
  2⤵
  - Program crash
  PID:2956

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6432

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:64

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3972

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:416

C:\Users\Admin\AppData\Local\Temp\35BB.exe
C:\Users\Admin\AppData\Local\Temp\35BB.exe
1⤵
- Suspicious use of SetThreadContext
PID:1640
- C:\Users\Admin\AppData\Local\Temp\35BB.exe
  C:\Users\Admin\AppData\Local\Temp\35BB.exe
  2⤵
  PID:6124

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:580

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:9992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery