redline | 7a6c8ce1e4a64866a8e1341f135544aeb2b7ca4b27d784885dc75df7a96e56f8

System Information Discovery

Processes:

Lusaerufoli.exeTifynodavy.exegoogle-game.exeguihuali-game.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Lusaerufoli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Tifynodavy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	google-game.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	guihuali-game.exe

Loads dropped DLL 29 IoCs

Processes:

LabPicV3.tmplylal220.tmprundll32.exei-record.exeinstaller.exeMsiExec.exeSetup3310.tmprUNdlL32.eXeMsiExec.exelylal220.tmpLabPicV3.tmprUNdlL32.eXe

pid	process
780	LabPicV3.tmp
3860	lylal220.tmp
4484	rundll32.exe
4852	i-record.exe
4852	i-record.exe
4852	i-record.exe
4852	i-record.exe
4852	i-record.exe
4852	i-record.exe
4852	i-record.exe
4852	i-record.exe
3444	installer.exe
3444	installer.exe
3444	installer.exe
5732	MsiExec.exe
5732	MsiExec.exe
6084	Setup3310.tmp
6084	Setup3310.tmp
6128	rUNdlL32.eXe
5584	MsiExec.exe
5584	MsiExec.exe
5584	MsiExec.exe
5584	MsiExec.exe
5584	MsiExec.exe
5584	MsiExec.exe
5584	MsiExec.exe
6248	lylal220.tmp
6264	LabPicV3.tmp
6604	rUNdlL32.eXe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

alpATCHInO.execmd.exehjjgaa.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Xesigaecaezhu.exe\""	alpATCHInO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Internet Explorer\\Hypazhaelikae.exe\""	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	hjjgaa.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

jg7_7wjg.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg7_7wjg.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg7_7wjg.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

installer.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\G:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

255 ip-api.com
278 ipinfo.io
281 ipinfo.io
302 ipinfo.io
12 ip-api.com
99 ip-api.com
121 ipinfo.io
124 ipinfo.io

flow	ioc
255	ip-api.com
278	ipinfo.io
281	ipinfo.io
302	ipinfo.io
12	ip-api.com
99	ip-api.com
121	ipinfo.io
124	ipinfo.io

Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

svchost.exe229623323.exe2115970737.exeLOQn7WyBrhly.exe

description	pid	process	target process
PID 2976 set thread context of 4672	2976	svchost.exe	svchost.exe
PID 4296 set thread context of 4800	4296	229623323.exe	AddInProcess32.exe
PID 3564 set thread context of 4572	3564	2115970737.exe	AddInProcess32.exe
PID 2976 set thread context of 4168	2976	svchost.exe	svchost.exe
PID 3600 set thread context of 4228	3600	LOQn7WyBrhly.exe	AddInProcess32.exe

autoit_exe 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\sskiper.exe	autoit_exe
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\sskiper.exe	autoit_exe

Drops file in Program Files directory 64 IoCs

Processes:

alpATCHInO.exeprolab.tmpirecord.tmp7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exeguihuali-game.exejg7_7wjg.execmd.exeConhost.exe

description	ioc	process
File created	C:\Program Files\Reference Assemblies\SYYALFTANO\prolab.exe.config	alpATCHInO.exe
File created	C:\Program Files (x86)\Picture Lab\unins000.dat	prolab.tmp
File created	C:\Program Files (x86)\WindowsPowerShell\Xesigaecaezhu.exe.config	alpATCHInO.exe
File opened for modification	C:\Program Files (x86)\recording\avutil-51.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\jg7_7wjg.exe	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\guihuali-game.exe	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\lylal220.exe	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe
File created	C:\Program Files\api-ms-win-crt-runtime-l1-1-0.dll	guihuali-game.exe
File created	C:\Program Files (x86)\recording\is-UAS68.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-4CN6I.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\Bunifu_UI_v1.52.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Uninstall.exe	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe
File created	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\tmp.edb	jg7_7wjg.exe
File created	C:\Program Files (x86)\Picture Lab\is-R1FJ0.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-5RIF4.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-JH3TE.tmp	prolab.tmp
File created	C:\Program Files\Microsoft Office\FEYQKBCZIM\irecord.exe.config	cmd.exe
File created	C:\Program Files (x86)\recording\is-NE3S4.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-3UKII.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\WeifenLuo.WinFormsUI.dll	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-D93CQ.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\recording\avcodec-53.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\swresample-0.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\d.jfm	jg7_7wjg.exe
File created	C:\Program Files\Reference Assemblies\SYYALFTANO\prolab.exe	alpATCHInO.exe
File created	C:\Program Files (x86)\Picture Lab\is-SKLJR.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\recording\i-record.exe	irecord.tmp
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\hjjgaa.exe	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe
File created	C:\Program Files\unins.vbs	guihuali-game.exe
File created	C:\Program Files\jp2native.dll	guihuali-game.exe
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\d.INTEG.RAW	jg7_7wjg.exe
File created	C:\Program Files (x86)\recording\is-JOSVG.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-98SBU.tmp	irecord.tmp
File created	C:\Program Files (x86)\Data Finder\Versium Research\Uninstall.ini	Conhost.exe
File opened for modification	C:\Program Files (x86)\recording\swscale-2.dll	irecord.tmp
File created	C:\Program Files (x86)\recording\is-MUGVF.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-MQVTC.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe	Conhost.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\DockingToolbar.dll	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-E59RM.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-J59TC.tmp	prolab.tmp
File created	C:\Program Files\Microsoft Office\FEYQKBCZIM\irecord.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\recording\avformat-53.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\askinstall38.exe	Conhost.exe
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\BarSetpFile.exe	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe
File created	C:\Program Files\unins0000.dll	guihuali-game.exe
File created	C:\Program Files\unins0000.dat	guihuali-game.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Xesigaecaezhu.exe	alpATCHInO.exe
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\d	jg7_7wjg.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\SourceLibrary.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\recording\unins000.exe	irecord.tmp
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe	Conhost.exe
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe	Conhost.exe
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe
File created	C:\Program Files\api-ms-win-crt-convert-l1-1-0.dll	guihuali-game.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.Math.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\recording\postproc-52.dll	irecord.tmp
File created	C:\Program Files (x86)\recording\is-T82OC.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-HVSPH.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-1VLNA.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\JoSetp.exe	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\sskiper.exe	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exeMicrosoftEdge.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI91F8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9352.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI90BD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9199.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f748bda.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8E4B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI92A5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI93EF.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\Installer\f748bda.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

7648 6992 WerFault.exe 1251292.exe
6592 4380 WerFault.exe 702564a0.exe

pid	pid_target	process	target process
7648	6992	WerFault.exe	1251292.exe
6592	4380	WerFault.exe	702564a0.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

svchost.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

7384 timeout.exe
Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4280 taskkill.exe
5644 taskkill.exe
6236 taskkill.exe
7104 taskkill.exe
5492 taskkill.exe

pid	process
7384	timeout.exe

pid	process
4280	taskkill.exe
5644	taskkill.exe
6236	taskkill.exe
7104	taskkill.exe
5492	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

Processes:

browser_broker.exeMicrosoftEdgeCP.exeMicrosoftEdge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe

Modifies data under HKEY_USERS 13 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exerUNdlL32.eXesvchost.exesvchost.exeMicrosoftEdgeCP.exesvchost.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompletedV = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionIn	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 01000000e425e7e816bd2d1dfa821c06498c380bec5d9b880925fec4a31b24a29353f70357572ea20949442e357fb7fff4b927e783751da1f7fdd05c9d31dd81e831a088435dc3580156ac2acff7fade5f70773455f2e6d56aa73ee383d4bd21ef68203efe5880fbca84e676570df4e0814f45ed40f4f51703c2f0d9ba24e0ef959862f5046927c5b773a5639edfcaeee9f7f8ec089bc0caabed4e42ab414c721a617d884dae0ad991c336565d8f16d56709186ce306574616ca160cf94b63ec21638ceaa348bc302a15bf03993b0226df235710d95750abbdf7579cff6285d97c3eafb5ed57fed66d0780ba740546c764e7fd8a21adfc0aa316cb5adaa6a1353592145424fc5975573afdbfbe0b512cfdf3a7c5582885d571c64959cd3708936aff51b84255ae30164ed8b4216f743a92e818a49de75ea780a659038b35d007662538a18b836bd59ae39516bd4fa2da38671f50db0c3554cf58fde080c0dadf9ea36873daa6715280999cc61bcd3f5aba0ed918e5b63552267b576988f8592ba71bba9b37dfe6888210d1a3bd07c198547febdf4a05a66be5ae73e645b84d7cd762a4cffa3d18402c8d	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 421f71d81c4dd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify.	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{TV2553ZI-PZ3Y-VP7M-68Y0-MJT9X67Z6U7M}	rUNdlL32.eXe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{TV2553ZI-PZ3Y-VP7M-68Y0-MJT9X67Z6U7M}	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{WW6060MI-ED3Y-MI7M-57W2-EJZ5M77G1X0K}\1 = "4796"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 1a7c49d71c4dd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 826e52dd1c4dd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{QJ2559JN-BF7A-LM2A-20M4-JBF9M43Q7G3S}	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EL1681II-FO1F-AN2G-81K3-DNI5R86H5R6K}\1 = "22"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

installer.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4976 PING.EXE

pid	process
4976	PING.EXE

Script User-Agent 9 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	299	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	304	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	124	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	163	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	167	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	286	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	123	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	132	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	279	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exesvchost.exejfiag3g_gg.exeprolab.tmpirecord.tmpFelipiboxa.exe

pid	process
4484	rundll32.exe
4484	rundll32.exe
2976	svchost.exe
2976	svchost.exe
4360	jfiag3g_gg.exe
4360	jfiag3g_gg.exe
2976	svchost.exe
2976	svchost.exe
1184	prolab.tmp
1184	prolab.tmp
3872	irecord.tmp
3872	irecord.tmp
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe
4552	Felipiboxa.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

5356 MicrosoftEdgeCP.exe
5356 MicrosoftEdgeCP.exe

pid	process
5356	MicrosoftEdgeCP.exe
5356	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Three.exeBarSetpFile.exeJoSetp.exerundll32.exesvchost.execmd.exealpATCHInO.exejg7_7wjg.exe229623323.exe2115970737.exesvchost.exeAddInProcess32.exeAddInProcess32.exesvchost.exeTifynodavy.exe

description	pid	process
Token: SeDebugPrivilege	1912	Three.exe
Token: SeDebugPrivilege	3976	BarSetpFile.exe
Token: SeDebugPrivilege	2808	JoSetp.exe
Token: SeDebugPrivilege	4484	rundll32.exe
Token: SeDebugPrivilege	4484	rundll32.exe
Token: SeTcbPrivilege	2976	svchost.exe
Token: SeDebugPrivilege	4484	rundll32.exe
Token: SeDebugPrivilege	4484	rundll32.exe
Token: SeDebugPrivilege	4484	rundll32.exe
Token: SeDebugPrivilege	4484	rundll32.exe
Token: SeDebugPrivilege	4484	rundll32.exe
Token: SeDebugPrivilege	4484	rundll32.exe
Token: SeDebugPrivilege	4484	rundll32.exe
Token: SeDebugPrivilege	4484	rundll32.exe
Token: SeDebugPrivilege	4484	rundll32.exe
Token: SeDebugPrivilege	4484	rundll32.exe
Token: SeDebugPrivilege	4484	rundll32.exe
Token: SeDebugPrivilege	4520	cmd.exe
Token: SeDebugPrivilege	4584	alpATCHInO.exe
Token: SeManageVolumePrivilege	1444	jg7_7wjg.exe
Token: SeDebugPrivilege	4296	229623323.exe
Token: SeManageVolumePrivilege	1444	jg7_7wjg.exe
Token: SeDebugPrivilege	3564	2115970737.exe
Token: SeManageVolumePrivilege	1444	jg7_7wjg.exe
Token: SeTcbPrivilege	2976	svchost.exe
Token: SeAuditPrivilege	2536	svchost.exe
Token: SeDebugPrivilege	4800	AddInProcess32.exe
Token: SeDebugPrivilege	4572	AddInProcess32.exe
Token: SeAssignPrimaryTokenPrivilege	2780	svchost.exe
Token: SeIncreaseQuotaPrivilege	2780	svchost.exe
Token: SeSecurityPrivilege	2780	svchost.exe
Token: SeTakeOwnershipPrivilege	2780	svchost.exe
Token: SeLoadDriverPrivilege	2780	svchost.exe
Token: SeSystemtimePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeShutdownPrivilege	2780	svchost.exe
Token: SeSystemEnvironmentPrivilege	2780	svchost.exe
Token: SeUndockPrivilege	2780	svchost.exe
Token: SeManageVolumePrivilege	2780	svchost.exe
Token: SeDebugPrivilege	4104	Tifynodavy.exe
Token: SeAssignPrimaryTokenPrivilege	2780	svchost.exe
Token: SeIncreaseQuotaPrivilege	2780	svchost.exe
Token: SeSecurityPrivilege	2780	svchost.exe
Token: SeTakeOwnershipPrivilege	2780	svchost.exe
Token: SeLoadDriverPrivilege	2780	svchost.exe
Token: SeSystemtimePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeShutdownPrivilege	2780	svchost.exe
Token: SeSystemEnvironmentPrivilege	2780	svchost.exe
Token: SeUndockPrivilege	2780	svchost.exe
Token: SeManageVolumePrivilege	2780	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2780	svchost.exe
Token: SeIncreaseQuotaPrivilege	2780	svchost.exe
Token: SeSecurityPrivilege	2780	svchost.exe
Token: SeTakeOwnershipPrivilege	2780	svchost.exe
Token: SeLoadDriverPrivilege	2780	svchost.exe
Token: SeSystemtimePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeShutdownPrivilege	2780	svchost.exe
Token: SeSystemEnvironmentPrivilege	2780	svchost.exe
Token: SeUndockPrivilege	2780	svchost.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

prolab.tmpirecord.tmpinstaller.exeSetup3310.tmp

pid process

1184 prolab.tmp
3872 irecord.tmp
3444 installer.exe
6084 Setup3310.tmp
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

4560 MicrosoftEdge.exe
5356 MicrosoftEdgeCP.exe
5356 MicrosoftEdgeCP.exe

pid	process
1184	prolab.tmp
3872	irecord.tmp
3444	installer.exe
6084	Setup3310.tmp

pid	process
4560	MicrosoftEdge.exe
5356	MicrosoftEdgeCP.exe
5356	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exeLabPicV3.exelylal220.exeguihuali-game.exehjjgaa.exeWScript.exelylal220.tmpLabPicV3.tmprundll32.exesvchost.exe

description	pid	process	target process
PID 3172 wrote to memory of 1160	3172	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	hjjgaa.exe
PID 3172 wrote to memory of 1160	3172	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	hjjgaa.exe
PID 3172 wrote to memory of 1160	3172	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	hjjgaa.exe
PID 3172 wrote to memory of 1200	3172	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	RunWW.exe
PID 3172 wrote to memory of 1200	3172	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	RunWW.exe
PID 3172 wrote to memory of 1200	3172	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	RunWW.exe
PID 3172 wrote to memory of 1444	3172	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	jg7_7wjg.exe
PID 3172 wrote to memory of 1444	3172	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	jg7_7wjg.exe
PID 3172 wrote to memory of 1444	3172	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	jg7_7wjg.exe
PID 3172 wrote to memory of 1660	3172	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	guihuali-game.exe
PID 3172 wrote to memory of 1660	3172	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	guihuali-game.exe
PID 3172 wrote to memory of 1660	3172	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	guihuali-game.exe
PID 3172 wrote to memory of 1912	3172	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	Three.exe
PID 3172 wrote to memory of 1912	3172	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	Three.exe
PID 3172 wrote to memory of 2356	3172	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	LabPicV3.exe
PID 3172 wrote to memory of 2356	3172	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	LabPicV3.exe
PID 3172 wrote to memory of 2356	3172	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	LabPicV3.exe
PID 3172 wrote to memory of 2576	3172	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	lylal220.exe
PID 3172 wrote to memory of 2576	3172	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	lylal220.exe
PID 3172 wrote to memory of 2576	3172	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	lylal220.exe
PID 3172 wrote to memory of 2808	3172	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	JoSetp.exe
PID 3172 wrote to memory of 2808	3172	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	JoSetp.exe
PID 3172 wrote to memory of 3976	3172	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	BarSetpFile.exe
PID 3172 wrote to memory of 3976	3172	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	BarSetpFile.exe
PID 3172 wrote to memory of 3600	3172	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	LOQn7WyBrhly.exe
PID 3172 wrote to memory of 3600	3172	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	LOQn7WyBrhly.exe
PID 3172 wrote to memory of 3600	3172	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	LOQn7WyBrhly.exe
PID 3172 wrote to memory of 3940	3172	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	sskiper.exe
PID 3172 wrote to memory of 3940	3172	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	sskiper.exe
PID 3172 wrote to memory of 3940	3172	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	sskiper.exe
PID 2356 wrote to memory of 780	2356	LabPicV3.exe	LabPicV3.tmp
PID 2356 wrote to memory of 780	2356	LabPicV3.exe	LabPicV3.tmp
PID 2356 wrote to memory of 780	2356	LabPicV3.exe	LabPicV3.tmp
PID 2576 wrote to memory of 3860	2576	lylal220.exe	lylal220.tmp
PID 2576 wrote to memory of 3860	2576	lylal220.exe	lylal220.tmp
PID 2576 wrote to memory of 3860	2576	lylal220.exe	lylal220.tmp
PID 1660 wrote to memory of 4160	1660	guihuali-game.exe	WScript.exe
PID 1660 wrote to memory of 4160	1660	guihuali-game.exe	WScript.exe
PID 1660 wrote to memory of 4160	1660	guihuali-game.exe	WScript.exe
PID 1160 wrote to memory of 4324	1160	hjjgaa.exe	jfiag3g_gg.exe
PID 1160 wrote to memory of 4324	1160	hjjgaa.exe	jfiag3g_gg.exe
PID 1160 wrote to memory of 4324	1160	hjjgaa.exe	jfiag3g_gg.exe
PID 4160 wrote to memory of 4484	4160	WScript.exe	rundll32.exe
PID 4160 wrote to memory of 4484	4160	WScript.exe	rundll32.exe
PID 4160 wrote to memory of 4484	4160	WScript.exe	rundll32.exe
PID 3860 wrote to memory of 4520	3860	lylal220.tmp	cmd.exe
PID 3860 wrote to memory of 4520	3860	lylal220.tmp	cmd.exe
PID 780 wrote to memory of 4584	780	LabPicV3.tmp	alpATCHInO.exe
PID 780 wrote to memory of 4584	780	LabPicV3.tmp	alpATCHInO.exe
PID 4484 wrote to memory of 2976	4484	rundll32.exe	svchost.exe
PID 4484 wrote to memory of 2696	4484	rundll32.exe	svchost.exe
PID 2976 wrote to memory of 4672	2976	svchost.exe	svchost.exe
PID 2976 wrote to memory of 4672	2976	svchost.exe	svchost.exe
PID 2976 wrote to memory of 4672	2976	svchost.exe	svchost.exe
PID 4484 wrote to memory of 1008	4484	rundll32.exe	svchost.exe
PID 4484 wrote to memory of 2528	4484	rundll32.exe	svchost.exe
PID 4484 wrote to memory of 2536	4484	rundll32.exe	svchost.exe
PID 4484 wrote to memory of 1140	4484	rundll32.exe	svchost.exe
PID 4484 wrote to memory of 1084	4484	rundll32.exe	svchost.exe
PID 4484 wrote to memory of 1420	4484	rundll32.exe	svchost.exe
PID 4484 wrote to memory of 1948	4484	rundll32.exe	svchost.exe
PID 4484 wrote to memory of 1176	4484	rundll32.exe	svchost.exe
PID 4484 wrote to memory of 1412	4484	rundll32.exe	svchost.exe
PID 4484 wrote to memory of 2780	4484	rundll32.exe	svchost.exe

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1084

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1412

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2528

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2696

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2780

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2800

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2536

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1948

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1420

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1176

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1140

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1008

C:\Users\Admin\AppData\Local\Temp\7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe
"C:\Users\Admin\AppData\Local\Temp\7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3172

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\hjjgaa.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\hjjgaa.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1160

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:4324

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4360

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe"
2⤵
- Executes dropped EXE
PID:1200

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\jg7_7wjg.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\jg7_7wjg.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\guihuali-game.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\guihuali-game.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
4⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Three.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Three.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356

C:\Users\Admin\AppData\Local\Temp\is-8D640.tmp\LabPicV3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8D640.tmp\LabPicV3.tmp" /SL5="$10200,136934,53248,C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:780

C:\Users\Admin\AppData\Local\Temp\is-9OSSJ.tmp\alpATCHInO.exe
"C:\Users\Admin\AppData\Local\Temp\is-9OSSJ.tmp\alpATCHInO.exe" /S /UID=lab214
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Program Files\Reference Assemblies\SYYALFTANO\prolab.exe
"C:\Program Files\Reference Assemblies\SYYALFTANO\prolab.exe" /VERYSILENT
5⤵
- Executes dropped EXE
PID:4796

C:\Users\Admin\AppData\Local\Temp\is-0A947.tmp\prolab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0A947.tmp\prolab.tmp" /SL5="$400CA,575243,216576,C:\Program Files\Reference Assemblies\SYYALFTANO\prolab.exe" /VERYSILENT
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1184

C:\Users\Admin\AppData\Local\Temp\db-3e4a3-f47-b0bbb-fef567affc467\Tifynodavy.exe
"C:\Users\Admin\AppData\Local\Temp\db-3e4a3-f47-b0bbb-fef567affc467\Tifynodavy.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Users\Admin\AppData\Local\Temp\fe-777fb-2e2-b5098-d30b867691a68\Felipiboxa.exe
"C:\Users\Admin\AppData\Local\Temp\fe-777fb-2e2-b5098-d30b867691a68\Felipiboxa.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4552

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LOQn7WyBrhly.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LOQn7WyBrhly.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
3⤵
PID:4228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
3⤵
PID:4588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
3⤵
PID:4664

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\BarSetpFile.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\BarSetpFile.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\JoSetp.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\JoSetp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\lylal220.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\lylal220.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576

C:\Users\Admin\AppData\Local\Temp\is-2IIIJ.tmp\lylal220.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2IIIJ.tmp\lylal220.tmp" /SL5="$10206,298214,214528,C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\lylal220.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3860

C:\Users\Admin\AppData\Local\Temp\is-85D47.tmp\ysAGEL.exe
"C:\Users\Admin\AppData\Local\Temp\is-85D47.tmp\ysAGEL.exe" /S /UID=lylal220
4⤵
PID:4520

C:\Program Files\Microsoft Office\FEYQKBCZIM\irecord.exe
"C:\Program Files\Microsoft Office\FEYQKBCZIM\irecord.exe" /VERYSILENT
5⤵
- Executes dropped EXE
PID:4720

C:\Users\Admin\AppData\Local\Temp\is-RDQ3G.tmp\irecord.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RDQ3G.tmp\irecord.tmp" /SL5="$301F2,6139911,56832,C:\Program Files\Microsoft Office\FEYQKBCZIM\irecord.exe" /VERYSILENT
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3872

C:\Program Files (x86)\recording\i-record.exe
"C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4852

C:\Users\Admin\AppData\Local\Temp\a0-04425-e7f-d7aad-62cb38fd750d1\Lusaerufoli.exe
"C:\Users\Admin\AppData\Local\Temp\a0-04425-e7f-d7aad-62cb38fd750d1\Lusaerufoli.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:4148

C:\Users\Admin\AppData\Local\Temp\6c-bff2c-df5-020ba-fc52c4e4f458f\Gaerifenosae.exe
"C:\Users\Admin\AppData\Local\Temp\6c-bff2c-df5-020ba-fc52c4e4f458f\Gaerifenosae.exe"
5⤵
- Executes dropped EXE
PID:4972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iyyp4kj5.vs1\001.exe & exit
6⤵
PID:4124

C:\Users\Admin\AppData\Local\Temp\iyyp4kj5.vs1\001.exe
C:\Users\Admin\AppData\Local\Temp\iyyp4kj5.vs1\001.exe
7⤵
- Executes dropped EXE
PID:1628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\42jduhpx.dyl\installer.exe /qn CAMPAIGN="654" & exit
6⤵
- Blocklisted process makes network request
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Users\Admin\AppData\Local\Temp\42jduhpx.dyl\installer.exe
C:\Users\Admin\AppData\Local\Temp\42jduhpx.dyl\installer.exe /qn CAMPAIGN="654"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:3444

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\42jduhpx.dyl\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\42jduhpx.dyl\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1621217139 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
8⤵
PID:5988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\novdnpva.dkn\hbggg.exe & exit
6⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\novdnpva.dkn\hbggg.exe
C:\Users\Admin\AppData\Local\Temp\novdnpva.dkn\hbggg.exe
7⤵
- Executes dropped EXE
PID:5204

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
8⤵
- Executes dropped EXE
PID:5324

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
8⤵
PID:2284

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\asbcm32e.rah\Setup3310.exe /Verysilent /subid=623 & exit
6⤵
PID:5936

C:\Users\Admin\AppData\Local\Temp\asbcm32e.rah\Setup3310.exe
C:\Users\Admin\AppData\Local\Temp\asbcm32e.rah\Setup3310.exe /Verysilent /subid=623
7⤵
PID:6048

C:\Users\Admin\AppData\Local\Temp\is-R31TO.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-R31TO.tmp\Setup3310.tmp" /SL5="$20378,138429,56832,C:\Users\Admin\AppData\Local\Temp\asbcm32e.rah\Setup3310.exe" /Verysilent /subid=623
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:6084

C:\Users\Admin\AppData\Local\Temp\is-IP2JO.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-IP2JO.tmp\Setup.exe" /Verysilent
9⤵
PID:5856

C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe
"C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe"
10⤵
- Executes dropped EXE
PID:4232

C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe
"C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe"
11⤵
PID:7416

C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe
"C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"
10⤵
- Executes dropped EXE
PID:4764

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
11⤵
PID:6928

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
11⤵
PID:6860

C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe
"C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"
10⤵
- Executes dropped EXE
PID:5824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit
11⤵
PID:7048

C:\Windows\SysWOW64\taskkill.exe
taskkill /im RunWW.exe /f
12⤵
- Kills process with taskkill
PID:7104

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
12⤵
- Delays execution with timeout.exe
PID:7384

C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
"C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"
10⤵
- Executes dropped EXE
- Checks computer location settings
PID:2312

C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
11⤵
- Loads dropped DLL
PID:6604

C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe
"C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe"
10⤵
- Executes dropped EXE
PID:5496

C:\Users\Admin\AppData\Roaming\1050355.exe
"C:\Users\Admin\AppData\Roaming\1050355.exe"
11⤵
PID:7076

C:\Users\Admin\AppData\Roaming\5455857.exe
"C:\Users\Admin\AppData\Roaming\5455857.exe"
11⤵
PID:7132

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
12⤵
PID:2276

C:\Users\Admin\AppData\Roaming\1835570.exe
"C:\Users\Admin\AppData\Roaming\1835570.exe"
11⤵
PID:6396

C:\Users\Admin\AppData\Roaming\1251292.exe
"C:\Users\Admin\AppData\Roaming\1251292.exe"
11⤵
PID:6992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6992 -s 1740
12⤵
- Program crash
PID:7648

C:\Program Files (x86)\Data Finder\Versium Research\askinstall38.exe
"C:\Program Files (x86)\Data Finder\Versium Research\askinstall38.exe"
10⤵
- Executes dropped EXE
PID:6152

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
11⤵
PID:5920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
12⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5856

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
12⤵
- Kills process with taskkill
PID:6236

C:\Program Files (x86)\Data Finder\Versium Research\jg7_7wjg.exe
"C:\Program Files (x86)\Data Finder\Versium Research\jg7_7wjg.exe"
10⤵
- Executes dropped EXE
PID:4652

C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe
"C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
10⤵
- Executes dropped EXE
PID:3940

C:\Users\Admin\AppData\Local\Temp\is-BFGAS.tmp\lylal220.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BFGAS.tmp\lylal220.tmp" /SL5="$20440,237286,153600,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6248

C:\Users\Admin\AppData\Local\Temp\is-CLDR9.tmp\4_177039.exe
"C:\Users\Admin\AppData\Local\Temp\is-CLDR9.tmp\4_177039.exe" /S /UID=lylal220
12⤵
PID:6840

C:\Users\Admin\AppData\Local\Temp\f9-f0cde-b30-65fb8-574b3e6f4312c\Balyzhapuma.exe
"C:\Users\Admin\AppData\Local\Temp\f9-f0cde-b30-65fb8-574b3e6f4312c\Balyzhapuma.exe"
13⤵
PID:7112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\d24mzs35.j2s\001.exe & exit
14⤵
PID:6948

C:\Users\Admin\AppData\Local\Temp\d24mzs35.j2s\001.exe
C:\Users\Admin\AppData\Local\Temp\d24mzs35.j2s\001.exe
15⤵
PID:6228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ot0fagwj.rud\installer.exe /qn CAMPAIGN="654" & exit
14⤵
PID:7272

C:\Users\Admin\AppData\Local\Temp\ot0fagwj.rud\installer.exe
C:\Users\Admin\AppData\Local\Temp\ot0fagwj.rud\installer.exe /qn CAMPAIGN="654"
15⤵
PID:7544

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bh50hm0z.qdw\hbggg.exe & exit
14⤵
PID:6972

C:\Users\Admin\AppData\Local\Temp\bh50hm0z.qdw\hbggg.exe
C:\Users\Admin\AppData\Local\Temp\bh50hm0z.qdw\hbggg.exe
15⤵
PID:6232

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
16⤵
PID:7096

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
16⤵
PID:6516

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bep323at.tbq\Setup3310.exe /Verysilent /subid=623 & exit
14⤵
PID:7964

C:\Users\Admin\AppData\Local\Temp\bep323at.tbq\Setup3310.exe
C:\Users\Admin\AppData\Local\Temp\bep323at.tbq\Setup3310.exe /Verysilent /subid=623
15⤵
PID:7704

C:\Users\Admin\AppData\Local\Temp\is-U733A.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-U733A.tmp\Setup3310.tmp" /SL5="$2041A,138429,56832,C:\Users\Admin\AppData\Local\Temp\bep323at.tbq\Setup3310.exe" /Verysilent /subid=623
16⤵
PID:7652

C:\Users\Admin\AppData\Local\Temp\is-K5BOT.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-K5BOT.tmp\Setup.exe" /Verysilent
17⤵
PID:4948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\y1q4mbdx.o0b\google-game.exe & exit
14⤵
PID:6552

C:\Users\Admin\AppData\Local\Temp\y1q4mbdx.o0b\google-game.exe
C:\Users\Admin\AppData\Local\Temp\y1q4mbdx.o0b\google-game.exe
15⤵
PID:7196

C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setuser
16⤵
PID:7616

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\y2bfzn2z.3ga\setup.exe & exit
14⤵
PID:7320

C:\Users\Admin\AppData\Local\Temp\y2bfzn2z.3ga\setup.exe
C:\Users\Admin\AppData\Local\Temp\y2bfzn2z.3ga\setup.exe
15⤵
PID:7336

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\h5vwm1nj.gtq\customer1.exe & exit
14⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\h5vwm1nj.gtq\customer1.exe
C:\Users\Admin\AppData\Local\Temp\h5vwm1nj.gtq\customer1.exe
15⤵
PID:7624

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
16⤵
PID:6356

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
16⤵
PID:7256

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vbsuybkr.k4m\GcleanerWW.exe /mixone & exit
14⤵
PID:6772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\n23gdvrg.lcu\005.exe & exit
14⤵
PID:7716

C:\Users\Admin\AppData\Local\Temp\n23gdvrg.lcu\005.exe
C:\Users\Admin\AppData\Local\Temp\n23gdvrg.lcu\005.exe
15⤵
PID:6056

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cekdnl0r.ssc\toolspab1.exe & exit
14⤵
PID:5300

C:\Users\Admin\AppData\Local\Temp\cekdnl0r.ssc\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\cekdnl0r.ssc\toolspab1.exe
15⤵
PID:6140

C:\Users\Admin\AppData\Local\Temp\cekdnl0r.ssc\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\cekdnl0r.ssc\toolspab1.exe
16⤵
PID:6220

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zm1jlrcm.w4v\702564a0.exe & exit
14⤵
PID:4744

C:\Users\Admin\AppData\Local\Temp\zm1jlrcm.w4v\702564a0.exe
C:\Users\Admin\AppData\Local\Temp\zm1jlrcm.w4v\702564a0.exe
15⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 476
16⤵
- Program crash
PID:6592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s2pt3lgs.cag\app.exe /8-2222 & exit
14⤵
PID:5232

C:\Users\Admin\AppData\Local\Temp\s2pt3lgs.cag\app.exe
C:\Users\Admin\AppData\Local\Temp\s2pt3lgs.cag\app.exe /8-2222
15⤵
PID:7708

C:\Users\Admin\AppData\Local\Temp\s2pt3lgs.cag\app.exe
"C:\Users\Admin\AppData\Local\Temp\s2pt3lgs.cag\app.exe" /8-2222
16⤵
PID:4760

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\deutqsvf.smf\installer.exe /qn CAMPAIGN="654" & exit
14⤵
PID:7468

C:\Users\Admin\AppData\Local\Temp\deutqsvf.smf\installer.exe
C:\Users\Admin\AppData\Local\Temp\deutqsvf.smf\installer.exe /qn CAMPAIGN="654"
15⤵
PID:5012

C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe
"C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
10⤵
- Executes dropped EXE
PID:5440

C:\Users\Admin\AppData\Local\Temp\is-CBCB2.tmp\LabPicV3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CBCB2.tmp\LabPicV3.tmp" /SL5="$40458,506127,422400,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6264

C:\Users\Admin\AppData\Local\Temp\is-BPHR3.tmp\3316505.exe
"C:\Users\Admin\AppData\Local\Temp\is-BPHR3.tmp\3316505.exe" /S /UID=lab214
12⤵
PID:6944

C:\Users\Admin\AppData\Local\Temp\d6-411a9-a1a-2d7b6-508007d8979a2\Pobaevowyfo.exe
"C:\Users\Admin\AppData\Local\Temp\d6-411a9-a1a-2d7b6-508007d8979a2\Pobaevowyfo.exe"
13⤵
PID:6224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\53xn5qvi.2p2\001.exe & exit
14⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\53xn5qvi.2p2\001.exe
C:\Users\Admin\AppData\Local\Temp\53xn5qvi.2p2\001.exe
15⤵
PID:6972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\osxrxifh.1jk\installer.exe /qn CAMPAIGN="654" & exit
14⤵
PID:7400

C:\Users\Admin\AppData\Local\Temp\osxrxifh.1jk\installer.exe
C:\Users\Admin\AppData\Local\Temp\osxrxifh.1jk\installer.exe /qn CAMPAIGN="654"
15⤵
PID:7656

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\csp0jork.vna\hbggg.exe & exit
14⤵
PID:8156

C:\Users\Admin\AppData\Local\Temp\csp0jork.vna\hbggg.exe
C:\Users\Admin\AppData\Local\Temp\csp0jork.vna\hbggg.exe
15⤵
PID:5860

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
16⤵
PID:5844

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
16⤵
PID:5164

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\oozadjlb.p4f\Setup3310.exe /Verysilent /subid=623 & exit
14⤵
PID:7392

C:\Users\Admin\AppData\Local\Temp\oozadjlb.p4f\Setup3310.exe
C:\Users\Admin\AppData\Local\Temp\oozadjlb.p4f\Setup3310.exe /Verysilent /subid=623
15⤵
PID:7388

C:\Users\Admin\AppData\Local\Temp\is-K338E.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-K338E.tmp\Setup3310.tmp" /SL5="$30378,138429,56832,C:\Users\Admin\AppData\Local\Temp\oozadjlb.p4f\Setup3310.exe" /Verysilent /subid=623
16⤵
PID:7784

C:\Users\Admin\AppData\Local\Temp\is-HNVNS.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-HNVNS.tmp\Setup.exe" /Verysilent
17⤵
PID:8028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ljvkd1kj.p2n\google-game.exe & exit
14⤵
PID:4160

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
15⤵
- Executes dropped EXE
PID:6048

C:\Users\Admin\AppData\Local\Temp\ljvkd1kj.p2n\google-game.exe
C:\Users\Admin\AppData\Local\Temp\ljvkd1kj.p2n\google-game.exe
15⤵
PID:5200

C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setuser
16⤵
PID:7496

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5yafbce2.aog\setup.exe & exit
14⤵
PID:7700

C:\Users\Admin\AppData\Local\Temp\5yafbce2.aog\setup.exe
C:\Users\Admin\AppData\Local\Temp\5yafbce2.aog\setup.exe
15⤵
PID:6404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\j2famge1.wqm\customer1.exe & exit
14⤵
PID:6892

C:\Users\Admin\AppData\Local\Temp\j2famge1.wqm\customer1.exe
C:\Users\Admin\AppData\Local\Temp\j2famge1.wqm\customer1.exe
15⤵
PID:7504

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
16⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
16⤵
PID:6492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gtvkfcf4.tir\GcleanerWW.exe /mixone & exit
14⤵
PID:4424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jjknltz5.s4o\005.exe & exit
14⤵
PID:5188

C:\Users\Admin\AppData\Local\Temp\jjknltz5.s4o\005.exe
C:\Users\Admin\AppData\Local\Temp\jjknltz5.s4o\005.exe
15⤵
PID:4444

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rtipexmc.bmm\toolspab1.exe & exit
14⤵
PID:6556

C:\Users\Admin\AppData\Local\Temp\rtipexmc.bmm\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\rtipexmc.bmm\toolspab1.exe
15⤵
PID:4508

C:\Users\Admin\AppData\Local\Temp\rtipexmc.bmm\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\rtipexmc.bmm\toolspab1.exe
16⤵
PID:4128

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ikuz45xx.pqw\702564a0.exe & exit
14⤵
PID:6756

C:\Users\Admin\AppData\Local\Temp\ikuz45xx.pqw\702564a0.exe
C:\Users\Admin\AppData\Local\Temp\ikuz45xx.pqw\702564a0.exe
15⤵
PID:5316

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s30x1yxw.rrb\app.exe /8-2222 & exit
14⤵
PID:4732

C:\Users\Admin\AppData\Local\Temp\s30x1yxw.rrb\app.exe
C:\Users\Admin\AppData\Local\Temp\s30x1yxw.rrb\app.exe /8-2222
15⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\s30x1yxw.rrb\app.exe
"C:\Users\Admin\AppData\Local\Temp\s30x1yxw.rrb\app.exe" /8-2222
16⤵
PID:6060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\j04ft552.mb5\installer.exe /qn CAMPAIGN="654" & exit
14⤵
PID:6148

C:\Users\Admin\AppData\Local\Temp\j04ft552.mb5\installer.exe
C:\Users\Admin\AppData\Local\Temp\j04ft552.mb5\installer.exe /qn CAMPAIGN="654"
15⤵
PID:2996

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\j04ft552.mb5\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\j04ft552.mb5\ EXE_CMD_LINE="/forcecleanup /wintime 1621217139 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
16⤵
PID:2088

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5bkfwlrd.qxx\google-game.exe & exit
6⤵
PID:5628

C:\Users\Admin\AppData\Local\Temp\5bkfwlrd.qxx\google-game.exe
C:\Users\Admin\AppData\Local\Temp\5bkfwlrd.qxx\google-game.exe
7⤵
- Executes dropped EXE
- Checks computer location settings
PID:5748

C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setuser
8⤵
- Loads dropped DLL
- Modifies registry class
PID:6128

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o0urxga4.bm5\setup.exe & exit
6⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\o0urxga4.bm5\setup.exe
C:\Users\Admin\AppData\Local\Temp\o0urxga4.bm5\setup.exe
7⤵
- Executes dropped EXE
PID:2284

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hi1n5scx.3bz\customer1.exe & exit
6⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\hi1n5scx.3bz\customer1.exe
C:\Users\Admin\AppData\Local\Temp\hi1n5scx.3bz\customer1.exe
7⤵
- Executes dropped EXE
PID:6540

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
8⤵
PID:6988

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
8⤵
PID:6644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qitsnygx.vhd\GcleanerWW.exe /mixone & exit
6⤵
PID:6188

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gftr3rra.2ow\005.exe & exit
6⤵
PID:6316

C:\Users\Admin\AppData\Local\Temp\gftr3rra.2ow\005.exe
C:\Users\Admin\AppData\Local\Temp\gftr3rra.2ow\005.exe
7⤵
- Executes dropped EXE
PID:6748

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ukjqskfg.lbw\toolspab1.exe & exit
6⤵
PID:4196

C:\Users\Admin\AppData\Local\Temp\ukjqskfg.lbw\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\ukjqskfg.lbw\toolspab1.exe
7⤵
PID:8036

C:\Users\Admin\AppData\Local\Temp\ukjqskfg.lbw\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\ukjqskfg.lbw\toolspab1.exe
8⤵
PID:6132

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\02zy00ma.ywf\702564a0.exe & exit
6⤵
PID:6304

C:\Users\Admin\AppData\Local\Temp\02zy00ma.ywf\702564a0.exe
C:\Users\Admin\AppData\Local\Temp\02zy00ma.ywf\702564a0.exe
7⤵
PID:4156

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nj0vvlhg.ggy\app.exe /8-2222 & exit
6⤵
PID:6492

C:\Users\Admin\AppData\Local\Temp\nj0vvlhg.ggy\app.exe
C:\Users\Admin\AppData\Local\Temp\nj0vvlhg.ggy\app.exe /8-2222
7⤵
PID:4388

C:\Users\Admin\AppData\Local\Temp\nj0vvlhg.ggy\app.exe
"C:\Users\Admin\AppData\Local\Temp\nj0vvlhg.ggy\app.exe" /8-2222
8⤵
PID:6600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\etd42n0r.2fi\installer.exe /qn CAMPAIGN="654" & exit
6⤵
PID:7060

C:\Users\Admin\AppData\Local\Temp\etd42n0r.2fi\installer.exe
C:\Users\Admin\AppData\Local\Temp\etd42n0r.2fi\installer.exe /qn CAMPAIGN="654"
7⤵
PID:6872

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\etd42n0r.2fi\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\etd42n0r.2fi\ EXE_CMD_LINE="/forcecleanup /wintime 1621217139 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
8⤵
PID:7820

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\sskiper.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\sskiper.exe"
2⤵
- Executes dropped EXE
PID:3940

C:\Users\Admin\AppData\Local\Temp\229623323.exe
C:\Users\Admin\AppData\Local\Temp\229623323.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Users\Admin\AppData\Local\Temp\2115970737.exe
C:\Users\Admin\AppData\Local\Temp\2115970737.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\sskiper.exe & exit
3⤵
PID:4212

C:\Windows\SysWOW64\PING.EXE
ping 0
4⤵
- Runs ping.exe
PID:4976

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
2⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
PID:4672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
PID:4168

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4560

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1660

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:5356

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
PID:5480

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5A31F0C2F68CE00EF5C1D0FB6807C3B0 C
2⤵
- Loads dropped DLL
PID:5732

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A9302D8D4D81FC8A7214CC29C560FA87
2⤵
- Loads dropped DLL
PID:5584

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Kills process with taskkill
PID:5644

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C30968A6EE531F831CC42E6037417D7A E Global\MSI0000
2⤵
PID:7924

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding BBFEF6FC76A87B252E7B79D42C73BF64 C
2⤵
PID:7640

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding AD36129A427BC82D5CEDDC1C834CCC68
2⤵
PID:6116

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Kills process with taskkill
PID:5492

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F5B636C7A56B10EBE4C177C179E89C93 E Global\MSI0000
2⤵
PID:7564

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding FEABD74B763E282CA6811423C4CF1556 C
2⤵
PID:7528

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding FC66B2045A1873B39536E476B72D44A0
2⤵
PID:6464

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Kills process with taskkill
PID:4280

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2894621AF8AB5B4B5B89E578BBBCB611 E Global\MSI0000
2⤵
PID:6136

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:5544

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6800

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7292

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6844

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:5236

C:\Users\Admin\AppData\Local\Temp\ED01.exe
C:\Users\Admin\AppData\Local\Temp\ED01.exe
1⤵
PID:8024

C:\Users\Admin\AppData\Local\Temp\8E6.exe
C:\Users\Admin\AppData\Local\Temp\8E6.exe
1⤵
PID:7140

C:\Users\Admin\AppData\Roaming\SmartSoft\GDImageApplication\gdapp.exe
C:\Users\Admin\AppData\Roaming\SmartSoft\GDImageApplication\gdapp.exe
2⤵
PID:4472

C:\Users\Admin\AppData\Local\Temp\DBA.exe
C:\Users\Admin\AppData\Local\Temp\DBA.exe
1⤵
PID:5104

C:\Users\Admin\AppData\Local\Temp\15B9.exe
C:\Users\Admin\AppData\Local\Temp\15B9.exe
1⤵
PID:7932

C:\Users\Admin\AppData\Local\Temp\1A5E.exe
C:\Users\Admin\AppData\Local\Temp\1A5E.exe
1⤵
PID:7512

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7468

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:7744

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6904

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4528

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2164

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4540

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6524

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4032

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

System Information Discovery