elysiumstealer | 8e4f30afa8d0ce48c46a39e2754d8f7adad90ae8ccaf0132b354be76076b20cc

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Cakaewowiwa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Kofushuruxa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Tyzhosoluru.exe

Loads dropped DLL 45 IoCs

pid	Process
184	LzmwAqmV.tmp
4420	i-record.exe
4420	i-record.exe
4420	i-record.exe
4420	i-record.exe
4420	i-record.exe
4420	i-record.exe
4420	i-record.exe
4420	i-record.exe
4420	i-record.exe
5112	installer.exe
5112	installer.exe
5112	installer.exe
4644	MsiExec.exe
4644	MsiExec.exe
5192	Setup3310.tmp
5192	Setup3310.tmp
5784	MsiExec.exe
5920	rUNdlL32.eXe
5784	MsiExec.exe
5784	MsiExec.exe
5784	MsiExec.exe
5784	MsiExec.exe
5784	MsiExec.exe
5784	MsiExec.exe
5504	LabPicV3.tmp
6136	lylal220.tmp
4684	cmd.exe
4684	cmd.exe
5784	MsiExec.exe
5784	MsiExec.exe
5784	MsiExec.exe
5112	installer.exe
5784	MsiExec.exe
5784	MsiExec.exe
5748	RunWW.exe
5748	RunWW.exe
6484	MsiExec.exe
6484	MsiExec.exe
6484	MsiExec.exe
6484	MsiExec.exe
6484	MsiExec.exe
6484	MsiExec.exe
6484	MsiExec.exe
5784	MsiExec.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
7756	icacls.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Portable Devices\\Taepenawugae.exe\""	Balti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	2654459.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Adobe\\Bazhushaeleha.exe\""	3316505.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\recording\\Dywixezhapy.exe\""	4_177039.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 10 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
131	ipinfo.io
132	ip-api.com
184	ip-api.com
274	ipinfo.io
276	ipinfo.io
429	api.2ip.ua
73	ipinfo.io
75	ipinfo.io
287	ipinfo.io
428	api.2ip.ua

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #3	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #5	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #6	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #1	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedUpdater	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #2	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3216 set thread context of 6032	3216	svchost.exe	125
PID 6552 set thread context of 6724	6552	Setup.exe	160

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\recording\Bunifu_UI_v1.52.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.dll	MicrosoftEdgeCP.exe
File created	C:\Program Files (x86)\Picture Lab\is-H9DO6.tmp	MicrosoftEdgeCP.exe
File created	C:\Program Files (x86)\recording\is-E9JUM.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-U3RVM.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe	Setup.exe
File created	C:\Program Files (x86)\Picture Lab\is-HRMAB.tmp	MicrosoftEdgeCP.exe
File created	C:\Program Files (x86)\Picture Lab\is-5ATI4.tmp	MicrosoftEdgeCP.exe
File created	C:\Program Files\Windows Multimedia Platform\XIWTZEIYTX\irecord.exe.config	4_177039.exe
File opened for modification	C:\Program Files (x86)\recording\avcodec-53.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\unins000.exe	irecord.tmp
File created	C:\Program Files (x86)\recording\is-OMQS8.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe	Setup.exe
File created	C:\Program Files (x86)\recording\is-TPQJC.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\Dywixezhapy.exe	4_177039.exe
File created	C:\Program Files (x86)\recording\Dywixezhapy.exe.config	4_177039.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File created	C:\Program Files\Reference Assemblies\BZXPWUNVDP\irecord.exe.config	Balti.exe
File opened for modification	C:\Program Files (x86)\recording\AForge.Video.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\swresample-0.dll	irecord.tmp
File created	C:\Program Files (x86)\Windows Portable Devices\Taepenawugae.exe.config	Balti.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\Pictures Lab.exe	MicrosoftEdgeCP.exe
File created	C:\Program Files\Windows Multimedia Platform\XIWTZEIYTX\irecord.exe	4_177039.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File opened for modification	C:\Program Files (x86)\recording\avutil-51.dll	irecord.tmp
File created	C:\Program Files (x86)\Windows Portable Devices\Taepenawugae.exe	Balti.exe
File created	C:\Program Files (x86)\recording\is-B4H5T.tmp	irecord.tmp
File created	C:\Program Files\Microsoft Office 15\BHIONCQILY\prolab.exe.config	3316505.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\SourceLibrary.dll	MicrosoftEdgeCP.exe
File created	C:\Program Files (x86)\Picture Lab\is-MCHMU.tmp	MicrosoftEdgeCP.exe
File opened for modification	C:\Program Files (x86)\recording\swscale-2.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\unins000.exe	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\avcodec-53.dll	irecord.tmp
File created	C:\Program Files (x86)\Data Finder\Versium Research\Uninstall.ini	Setup.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\DockingToolbar.dll	MicrosoftEdgeCP.exe
File created	C:\Program Files (x86)\Picture Lab\is-H794T.tmp	MicrosoftEdgeCP.exe
File opened for modification	C:\Program Files (x86)\recording\swresample-0.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\AForge.Video.FFMPEG.dll	irecord.tmp
File created	C:\Program Files (x86)\recording\is-NEG9O.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\avformat-53.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\i-record.exe	irecord.tmp
File created	C:\Program Files (x86)\recording\is-BTL0T.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-MC61Q.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-BTQ56.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\unins000.dat	irecord.tmp
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\SourceGrid2.dll	MicrosoftEdgeCP.exe
File created	C:\Program Files (x86)\Picture Lab\is-2LFBB.tmp	MicrosoftEdgeCP.exe
File created	C:\Program Files (x86)\Adobe\Bazhushaeleha.exe	3316505.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File opened for modification	C:\Program Files (x86)\recording\postproc-52.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\swscale-2.dll	irecord.tmp
File created	C:\Program Files (x86)\recording\is-5M6TU.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-H7OUI.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-444B8.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\recording\Bunifu_UI_v1.52.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\avutil-51.dll	irecord.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File created	C:\Program Files\Reference Assemblies\BZXPWUNVDP\irecord.exe	Balti.exe
File created	C:\Program Files (x86)\Picture Lab\is-T7N3T.tmp	MicrosoftEdgeCP.exe
File opened for modification	C:\Program Files (x86)\recording\i-record.exe	irecord.tmp

Drops file in Windows directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI64F9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6E53.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI724C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA516.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAF8A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC095.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC86A.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSIC54A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC77E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC917.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICB6A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f746288.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7710.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC654.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File created	C:\Windows\Installer\f746288.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6AE6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAA39.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC3A3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File created	C:\Windows\Installer\f74628b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6C7D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7048.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA6FC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAFCA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD95.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3648	836	WerFault.exe	74
432	2064	WerFault.exe	77
6880	6352	WerFault.exe	157
6976	4224	WerFault.exe	268

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RunWW.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RunWW.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
7288	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
6020	taskkill.exe
6280	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 01000000bac57de394b5600f1c12ffa2b778fe0d9ad060d8e82448a00914d7b7af820b36c382baf47f9ef8345ef7cc46a7897ce95305911812730b27b578344b601b	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{TV2553ZI-PZ3Y-VP7M-68Y0-MJT9X67Z6U7M}	rUNdlL32.eXe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b7767e0ccb4fd701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EL1681II-FO1F-AN2G-81K3-DNI5R86H5R6K}	rUNdlL32.eXe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{IY7880QH-GQ0R-SG6F-75Z5-PGQ2S76C3D6F}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "0s03o8t"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 301bd569d72dd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 010000003872fabd1a2836a36a527cf16defed2878c43c874e4115dcd7d62cd545f232ee000caa94c17a589174fa013d6d4f5dcbafbc454500bd6e696de5	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 9e6b760dcb4fd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 010000005072e6e3d287c0e172137216e50cce43104cd816860a0f142f5b5ae23dc5d96a1973a7e779a50a1d4a5a6c6dac57b78e330b1506dbec2492c554c146c0f8da54947819ce21b495c454cea7928057393f9c370e8eb865428e0def	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionIn = "5"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{08CA7FDB-1A66-486A-90C2-E9B23EAF3307}"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager"	msiexec.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Cakaewowiwa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Cakaewowiwa.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
7836	PING.EXE
8016	PING.EXE
5700	PING.EXE

Script User-Agent 15 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	285	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	79	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	275	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	138	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	281	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	130	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	137	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	115	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	131	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	120	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	159	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	179	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	289	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	74	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	75	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3648	WerFault.exe
3648	WerFault.exe
3648	WerFault.exe
3648	WerFault.exe
3648	WerFault.exe
3648	WerFault.exe
3648	WerFault.exe
3648	WerFault.exe
3648	WerFault.exe
3648	WerFault.exe
3648	WerFault.exe
3648	WerFault.exe
3648	WerFault.exe
3648	WerFault.exe
3648	WerFault.exe
432	WerFault.exe
432	WerFault.exe
432	WerFault.exe
432	WerFault.exe
432	WerFault.exe
432	WerFault.exe
432	WerFault.exe
432	WerFault.exe
432	WerFault.exe
432	WerFault.exe
432	WerFault.exe
432	WerFault.exe
432	WerFault.exe
432	WerFault.exe
432	WerFault.exe
432	WerFault.exe
4216	irecord.tmp
4216	irecord.tmp
4304	Qadoshewaeki.exe
4304	Qadoshewaeki.exe
4304	Qadoshewaeki.exe
4304	Qadoshewaeki.exe
4304	Qadoshewaeki.exe
4304	Qadoshewaeki.exe
4304	Qadoshewaeki.exe
4304	Qadoshewaeki.exe
4304	Qadoshewaeki.exe
4304	Qadoshewaeki.exe
4304	Qadoshewaeki.exe
4304	Qadoshewaeki.exe
4304	Qadoshewaeki.exe
4304	Qadoshewaeki.exe
4304	Qadoshewaeki.exe
4304	Qadoshewaeki.exe
4304	Qadoshewaeki.exe
4304	Qadoshewaeki.exe
4304	Qadoshewaeki.exe
4304	Qadoshewaeki.exe
4304	Qadoshewaeki.exe
4304	Qadoshewaeki.exe
4304	Qadoshewaeki.exe
4304	Qadoshewaeki.exe
4304	Qadoshewaeki.exe
4304	Qadoshewaeki.exe
4304	Qadoshewaeki.exe
4304	Qadoshewaeki.exe
4304	Qadoshewaeki.exe
4304	Qadoshewaeki.exe
4304	Qadoshewaeki.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4524	MicrosoftEdgeCP.exe
4524	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	836	diragame.exe
Token: SeDebugPrivilege	1416	irecCH4.exe
Token: SeDebugPrivilege	2064	md4_4igk.exe
Token: SeDebugPrivilege	2456	sunlap.exe
Token: SeDebugPrivilege	3648	WerFault.exe
Token: SeDebugPrivilege	432	WerFault.exe
Token: SeDebugPrivilege	1480	Balti.exe
Token: SeDebugPrivilege	4240	Cakaewowiwa.exe
Token: SeDebugPrivilege	4304	Qadoshewaeki.exe
Token: SeDebugPrivilege	4564	MicrosoftEdge.exe
Token: SeDebugPrivilege	4564	MicrosoftEdge.exe
Token: SeDebugPrivilege	4564	MicrosoftEdge.exe
Token: SeDebugPrivilege	4564	MicrosoftEdge.exe
Token: SeSecurityPrivilege	4948	msiexec.exe
Token: SeCreateTokenPrivilege	5112	installer.exe
Token: SeAssignPrimaryTokenPrivilege	5112	installer.exe
Token: SeLockMemoryPrivilege	5112	installer.exe
Token: SeIncreaseQuotaPrivilege	5112	installer.exe
Token: SeMachineAccountPrivilege	5112	installer.exe
Token: SeTcbPrivilege	5112	installer.exe
Token: SeSecurityPrivilege	5112	installer.exe
Token: SeTakeOwnershipPrivilege	5112	installer.exe
Token: SeLoadDriverPrivilege	5112	installer.exe
Token: SeSystemProfilePrivilege	5112	installer.exe
Token: SeSystemtimePrivilege	5112	installer.exe
Token: SeProfSingleProcessPrivilege	5112	installer.exe
Token: SeIncBasePriorityPrivilege	5112	installer.exe
Token: SeCreatePagefilePrivilege	5112	installer.exe
Token: SeCreatePermanentPrivilege	5112	installer.exe
Token: SeBackupPrivilege	5112	installer.exe
Token: SeRestorePrivilege	5112	installer.exe
Token: SeShutdownPrivilege	5112	installer.exe
Token: SeDebugPrivilege	5112	installer.exe
Token: SeAuditPrivilege	5112	installer.exe
Token: SeSystemEnvironmentPrivilege	5112	installer.exe
Token: SeChangeNotifyPrivilege	5112	installer.exe
Token: SeRemoteShutdownPrivilege	5112	installer.exe
Token: SeUndockPrivilege	5112	installer.exe
Token: SeSyncAgentPrivilege	5112	installer.exe
Token: SeEnableDelegationPrivilege	5112	installer.exe
Token: SeManageVolumePrivilege	5112	installer.exe
Token: SeImpersonatePrivilege	5112	installer.exe
Token: SeCreateGlobalPrivilege	5112	installer.exe
Token: SeCreateTokenPrivilege	5112	installer.exe
Token: SeAssignPrimaryTokenPrivilege	5112	installer.exe
Token: SeLockMemoryPrivilege	5112	installer.exe
Token: SeIncreaseQuotaPrivilege	5112	installer.exe
Token: SeMachineAccountPrivilege	5112	installer.exe
Token: SeTcbPrivilege	5112	installer.exe
Token: SeSecurityPrivilege	5112	installer.exe
Token: SeTakeOwnershipPrivilege	5112	installer.exe
Token: SeLoadDriverPrivilege	5112	installer.exe
Token: SeSystemProfilePrivilege	5112	installer.exe
Token: SeSystemtimePrivilege	5112	installer.exe
Token: SeProfSingleProcessPrivilege	5112	installer.exe
Token: SeIncBasePriorityPrivilege	5112	installer.exe
Token: SeCreatePagefilePrivilege	5112	installer.exe
Token: SeCreatePermanentPrivilege	5112	installer.exe
Token: SeBackupPrivilege	5112	installer.exe
Token: SeRestorePrivilege	5112	installer.exe
Token: SeShutdownPrivilege	5112	installer.exe
Token: SeDebugPrivilege	5112	installer.exe
Token: SeAuditPrivilege	5112	installer.exe
Token: SeSystemEnvironmentPrivilege	5112	installer.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4216	irecord.tmp
5112	installer.exe
5192	Setup3310.tmp
4684	cmd.exe
6816	MicrosoftEdgeCP.exe
7120	irecord.tmp

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4564	MicrosoftEdge.exe
4524	MicrosoftEdgeCP.exe
4524	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3232 wrote to memory of 836	3232	B644F30DACDD7066907FD2807DB5FB0D.exe	74
PID 3232 wrote to memory of 836	3232	B644F30DACDD7066907FD2807DB5FB0D.exe	74
PID 3232 wrote to memory of 1416	3232	B644F30DACDD7066907FD2807DB5FB0D.exe	76
PID 3232 wrote to memory of 1416	3232	B644F30DACDD7066907FD2807DB5FB0D.exe	76
PID 3232 wrote to memory of 2064	3232	B644F30DACDD7066907FD2807DB5FB0D.exe	77
PID 3232 wrote to memory of 2064	3232	B644F30DACDD7066907FD2807DB5FB0D.exe	77
PID 3232 wrote to memory of 2456	3232	B644F30DACDD7066907FD2807DB5FB0D.exe	78
PID 3232 wrote to memory of 2456	3232	B644F30DACDD7066907FD2807DB5FB0D.exe	78
PID 1416 wrote to memory of 2356	1416	irecCH4.exe	80
PID 1416 wrote to memory of 2356	1416	irecCH4.exe	80
PID 1416 wrote to memory of 2356	1416	irecCH4.exe	80
PID 2356 wrote to memory of 184	2356	LzmwAqmV.exe	81
PID 2356 wrote to memory of 184	2356	LzmwAqmV.exe	81
PID 2356 wrote to memory of 184	2356	LzmwAqmV.exe	81
PID 184 wrote to memory of 1480	184	LzmwAqmV.tmp	85
PID 184 wrote to memory of 1480	184	LzmwAqmV.tmp	85
PID 1480 wrote to memory of 4180	1480	Balti.exe	89
PID 1480 wrote to memory of 4180	1480	Balti.exe	89
PID 1480 wrote to memory of 4180	1480	Balti.exe	89
PID 4180 wrote to memory of 4216	4180	irecord.exe	90
PID 4180 wrote to memory of 4216	4180	irecord.exe	90
PID 4180 wrote to memory of 4216	4180	irecord.exe	90
PID 1480 wrote to memory of 4240	1480	Balti.exe	91
PID 1480 wrote to memory of 4240	1480	Balti.exe	91
PID 1480 wrote to memory of 4304	1480	Balti.exe	92
PID 1480 wrote to memory of 4304	1480	Balti.exe	92
PID 4216 wrote to memory of 4420	4216	irecord.tmp	93
PID 4216 wrote to memory of 4420	4216	irecord.tmp	93
PID 4216 wrote to memory of 4420	4216	irecord.tmp	93
PID 4304 wrote to memory of 4228	4304	Qadoshewaeki.exe	187
PID 4304 wrote to memory of 4228	4304	Qadoshewaeki.exe	187
PID 4228 wrote to memory of 3732	4228	MicrosoftEdgeCP.exe	98
PID 4228 wrote to memory of 3732	4228	MicrosoftEdgeCP.exe	98
PID 4228 wrote to memory of 3732	4228	MicrosoftEdgeCP.exe	98
PID 4304 wrote to memory of 4788	4304	Qadoshewaeki.exe	100
PID 4304 wrote to memory of 4788	4304	Qadoshewaeki.exe	100
PID 4304 wrote to memory of 5016	4304	Qadoshewaeki.exe	103
PID 4304 wrote to memory of 5016	4304	Qadoshewaeki.exe	103
PID 5016 wrote to memory of 5112	5016	cmd.exe	105
PID 5016 wrote to memory of 5112	5016	cmd.exe	105
PID 5016 wrote to memory of 5112	5016	cmd.exe	105
PID 4304 wrote to memory of 2140	4304	Qadoshewaeki.exe	106
PID 4304 wrote to memory of 2140	4304	Qadoshewaeki.exe	106
PID 4304 wrote to memory of 4016	4304	Qadoshewaeki.exe	112
PID 4304 wrote to memory of 4016	4304	Qadoshewaeki.exe	112
PID 4948 wrote to memory of 4644	4948	msiexec.exe	114
PID 4948 wrote to memory of 4644	4948	msiexec.exe	114
PID 4948 wrote to memory of 4644	4948	msiexec.exe	114
PID 4016 wrote to memory of 5140	4016	cmd.exe	115
PID 4016 wrote to memory of 5140	4016	cmd.exe	115
PID 4016 wrote to memory of 5140	4016	cmd.exe	115
PID 5140 wrote to memory of 5192	5140	Setup3310.exe	116
PID 5140 wrote to memory of 5192	5140	Setup3310.exe	116
PID 5140 wrote to memory of 5192	5140	Setup3310.exe	116
PID 5112 wrote to memory of 5496	5112	installer.exe	117
PID 5112 wrote to memory of 5496	5112	installer.exe	117
PID 5112 wrote to memory of 5496	5112	installer.exe	117
PID 4304 wrote to memory of 5568	4304	Qadoshewaeki.exe	118
PID 4304 wrote to memory of 5568	4304	Qadoshewaeki.exe	118
PID 5568 wrote to memory of 5672	5568	cmd.exe	186
PID 5568 wrote to memory of 5672	5568	cmd.exe	186
PID 5568 wrote to memory of 5672	5568	cmd.exe	186
PID 4524 wrote to memory of 4352	4524	MicrosoftEdgeCP.exe	111
PID 4524 wrote to memory of 4352	4524	MicrosoftEdgeCP.exe	111

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1060

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1864

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2372

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2424

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2700

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2788

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2712

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1452

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1356

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1212

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1152

C:\Users\Admin\AppData\Local\Temp\B644F30DACDD7066907FD2807DB5FB0D.exe
"C:\Users\Admin\AppData\Local\Temp\B644F30DACDD7066907FD2807DB5FB0D.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Users\Admin\AppData\Local\Temp\diragame.exe
  "C:\Users\Admin\AppData\Local\Temp\diragame.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:836
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 836 -s 1568
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3648
- C:\Users\Admin\AppData\Local\Temp\irecCH4.exe
  "C:\Users\Admin\AppData\Local\Temp\irecCH4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
    "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Users\Admin\AppData\Local\Temp\is-FJ9K7.tmp\LzmwAqmV.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-FJ9K7.tmp\LzmwAqmV.tmp" /SL5="$701D2,140559,56832,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:184
    - - C:\Users\Admin\AppData\Local\Temp\is-QMM72.tmp\Balti.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-QMM72.tmp\Balti.exe" /S /UID=irecordch4
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1480
      - C:\Program Files\Reference Assemblies\BZXPWUNVDP\irecord.exe
        
        "C:\Program Files\Reference Assemblies\BZXPWUNVDP\irecord.exe" /VERYSILENT
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\is-TQDOV.tmp\irecord.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-TQDOV.tmp\irecord.tmp" /SL5="$30122,6139911,56832,C:\Program Files\Reference Assemblies\BZXPWUNVDP\irecord.exe" /VERYSILENT
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Program Files (x86)\recording\i-record.exe
        
        "C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4420
      - C:\Users\Admin\AppData\Local\Temp\45-126da-723-2e4ba-879f4fe3ac809\Cakaewowiwa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\45-126da-723-2e4ba-879f4fe3ac809\Cakaewowiwa.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:4240
      - C:\Users\Admin\AppData\Local\Temp\20-28353-8a1-9169c-4e8bb104f406d\Qadoshewaeki.exe
        
        "C:\Users\Admin\AppData\Local\Temp\20-28353-8a1-9169c-4e8bb104f406d\Qadoshewaeki.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lghas4t0.0f5\001.exe & exit
        7⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\lghas4t0.0f5\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\lghas4t0.0f5\001.exe
        8⤵
        Executes dropped EXE
        
        PID:3732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ecnl3jgr.avu\GcleanerEU.exe /eufive & exit
        7⤵
        
        PID:4788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mbq55ldq.mxl\installer.exe /qn CAMPAIGN="654" & exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\mbq55ldq.mxl\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\mbq55ldq.mxl\installer.exe /qn CAMPAIGN="654"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\mbq55ldq.mxl\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\mbq55ldq.mxl\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1621511872 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        9⤵
        
        PID:5496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\42hpkrqt.ssr\hbggg.exe & exit
        7⤵
        
        PID:2140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\34bev34n.cyq\Setup3310.exe /Verysilent /subid=623 & exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\34bev34n.cyq\Setup3310.exe
        
        C:\Users\Admin\AppData\Local\Temp\34bev34n.cyq\Setup3310.exe /Verysilent /subid=623
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5140
        
        C:\Users\Admin\AppData\Local\Temp\is-BDNM4.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-BDNM4.tmp\Setup3310.tmp" /SL5="$10380,138429,56832,C:\Users\Admin\AppData\Local\Temp\34bev34n.cyq\Setup3310.exe" /Verysilent /subid=623
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\Temp\is-6J8D0.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-6J8D0.tmp\Setup.exe" /Verysilent
        10⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:6088
        
        C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"
        11⤵
        Executes dropped EXE
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        Executes dropped EXE
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        Executes dropped EXE
        
        PID:6836
        
        C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:5748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit
        12⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im RunWW.exe /f
        13⤵
        Kills process with taskkill
        
        PID:6280
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        13⤵
        Delays execution with timeout.exe
        
        PID:7288
        
        C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe"
        11⤵
        Executes dropped EXE
        
        PID:5856
        
        C:\Users\Admin\AppData\Roaming\8979618.exe
        
        "C:\Users\Admin\AppData\Roaming\8979618.exe"
        12⤵
        Executes dropped EXE
        
        PID:5604
        
        C:\Users\Admin\AppData\Roaming\2654459.exe
        
        "C:\Users\Admin\AppData\Roaming\2654459.exe"
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:6232
        
        C:\ProgramData\Windows Host\Windows Host.exe
        
        "C:\ProgramData\Windows Host\Windows Host.exe"
        13⤵
        Executes dropped EXE
        
        PID:6608
        
        C:\Users\Admin\AppData\Roaming\2488891.exe
        
        "C:\Users\Admin\AppData\Roaming\2488891.exe"
        12⤵
        Executes dropped EXE
        
        PID:6352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6352 -s 2124
        13⤵
        Program crash
        
        PID:6880
        
        C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
        11⤵
        Executes dropped EXE
        
        PID:5928
        
        C:\Users\Admin\AppData\Local\Temp\is-FRL0H.tmp\LabPicV3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FRL0H.tmp\LabPicV3.tmp" /SL5="$2047E,506127,422400,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5504
        
        C:\Users\Admin\AppData\Local\Temp\is-9F6V4.tmp\3316505.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-9F6V4.tmp\3316505.exe" /S /UID=lab214
        13⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:5228
        
        C:\Program Files\Microsoft Office 15\BHIONCQILY\prolab.exe
        
        "C:\Program Files\Microsoft Office 15\BHIONCQILY\prolab.exe" /VERYSILENT
        14⤵
        Executes dropped EXE
        
        PID:6764
        
        C:\Users\Admin\AppData\Local\Temp\is-1A1ET.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-1A1ET.tmp\prolab.tmp" /SL5="$30444,575243,216576,C:\Program Files\Microsoft Office 15\BHIONCQILY\prolab.exe" /VERYSILENT
        15⤵
        
        PID:6816
        
        C:\Users\Admin\AppData\Local\Temp\f8-46b87-bd7-736bf-199331dee127a\Kofushuruxa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f8-46b87-bd7-736bf-199331dee127a\Kofushuruxa.exe"
        14⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:6864
        
        C:\Users\Admin\AppData\Local\Temp\16-3f5b7-f56-05fb7-6a3b2e17b135b\ZHikybaekilae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\16-3f5b7-f56-05fb7-6a3b2e17b135b\ZHikybaekilae.exe"
        14⤵
        Executes dropped EXE
        
        PID:6944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\m2tc4rmx.xlo\001.exe & exit
        15⤵
        
        PID:6100
        
        C:\Users\Admin\AppData\Local\Temp\m2tc4rmx.xlo\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\m2tc4rmx.xlo\001.exe
        16⤵
        Executes dropped EXE
        
        PID:6512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\meu0i3dt.k11\GcleanerEU.exe /eufive & exit
        15⤵
        
        PID:6172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wdtma300.vze\installer.exe /qn CAMPAIGN="654" & exit
        15⤵
        
        PID:6872
        
        C:\Users\Admin\AppData\Local\Temp\wdtma300.vze\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\wdtma300.vze\installer.exe /qn CAMPAIGN="654"
        16⤵
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x5zp1oeu.qic\hbggg.exe & exit
        15⤵
        
        PID:5372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hapxflkh.kas\Setup3310.exe /Verysilent /subid=623 & exit
        15⤵
        
        PID:7392
        
        C:\Users\Admin\AppData\Local\Temp\hapxflkh.kas\Setup3310.exe
        
        C:\Users\Admin\AppData\Local\Temp\hapxflkh.kas\Setup3310.exe /Verysilent /subid=623
        16⤵
        
        PID:7544
        
        C:\Users\Admin\AppData\Local\Temp\is-ARG49.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-ARG49.tmp\Setup3310.tmp" /SL5="$405F4,138429,56832,C:\Users\Admin\AppData\Local\Temp\hapxflkh.kas\Setup3310.exe" /Verysilent /subid=623
        17⤵
        
        PID:7596
        
        C:\Users\Admin\AppData\Local\Temp\is-450IM.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-450IM.tmp\Setup.exe" /Verysilent
        18⤵
        
        PID:4596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hllr2mmp.grp\google-game.exe & exit
        15⤵
        
        PID:7840
        
        C:\Users\Admin\AppData\Local\Temp\hllr2mmp.grp\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\hllr2mmp.grp\google-game.exe
        16⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",getname
        17⤵
        
        PID:8008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g2ml1pzo.msc\setup.exe & exit
        15⤵
        
        PID:5364
        
        C:\Users\Admin\AppData\Local\Temp\g2ml1pzo.msc\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\g2ml1pzo.msc\setup.exe
        16⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\g2ml1pzo.msc\setup.exe"
        17⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        18⤵
        Runs ping.exe
        
        PID:7836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mgb41bk1.l0e\GcleanerWW.exe /mixone & exit
        15⤵
        
        PID:7948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\a1fcm0bo.jwe\005.exe & exit
        15⤵
        
        PID:7980
        
        C:\Users\Admin\AppData\Local\Temp\a1fcm0bo.jwe\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\a1fcm0bo.jwe\005.exe
        16⤵
        
        PID:6904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\owagr5oa.paw\toolspab1.exe & exit
        15⤵
        
        PID:6620
        
        C:\Users\Admin\AppData\Local\Temp\owagr5oa.paw\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\owagr5oa.paw\toolspab1.exe
        16⤵
        
        PID:7428
        
        C:\Users\Admin\AppData\Local\Temp\owagr5oa.paw\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\owagr5oa.paw\toolspab1.exe
        17⤵
        
        PID:5932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fgh403ph.oue\702564a0.exe & exit
        15⤵
        
        PID:5628
        
        C:\Users\Admin\AppData\Local\Temp\fgh403ph.oue\702564a0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fgh403ph.oue\702564a0.exe
        16⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 480
        17⤵
        Program crash
        
        PID:6976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b50lo5m3.3ra\installer.exe /qn CAMPAIGN="654" & exit
        15⤵
        
        PID:6712
        
        C:\Users\Admin\AppData\Local\Temp\b50lo5m3.3ra\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\b50lo5m3.3ra\installer.exe /qn CAMPAIGN="654"
        16⤵
        
        PID:1256
        
        C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
        11⤵
        
        PID:5992
        
        C:\Users\Admin\AppData\Local\Temp\is-AOL7A.tmp\lylal220.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-AOL7A.tmp\lylal220.tmp" /SL5="$20476,237286,153600,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6136
        
        C:\Users\Admin\AppData\Local\Temp\is-157L4.tmp\4_177039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-157L4.tmp\4_177039.exe" /S /UID=lylal220
        13⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:5288
        
        C:\Program Files\Windows Multimedia Platform\XIWTZEIYTX\irecord.exe
        
        "C:\Program Files\Windows Multimedia Platform\XIWTZEIYTX\irecord.exe" /VERYSILENT
        14⤵
        Executes dropped EXE
        
        PID:7092
        
        C:\Users\Admin\AppData\Local\Temp\is-B2020.tmp\irecord.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-B2020.tmp\irecord.tmp" /SL5="$40418,6139911,56832,C:\Program Files\Windows Multimedia Platform\XIWTZEIYTX\irecord.exe" /VERYSILENT
        15⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:7120
        
        C:\Users\Admin\AppData\Local\Temp\5f-63628-27d-e8693-66b897947d7b4\Tyzhosoluru.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5f-63628-27d-e8693-66b897947d7b4\Tyzhosoluru.exe"
        14⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:6260
        
        C:\Users\Admin\AppData\Local\Temp\ce-70f67-5f7-47b81-8ac415e36a3ca\Jizhygineli.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ce-70f67-5f7-47b81-8ac415e36a3ca\Jizhygineli.exe"
        14⤵
        Executes dropped EXE
        
        PID:5324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3oylzxfw.jff\001.exe & exit
        15⤵
        Executes dropped EXE
        
        PID:5992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        Executes dropped EXE
        
        PID:5672
        
        C:\Users\Admin\AppData\Local\Temp\3oylzxfw.jff\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\3oylzxfw.jff\001.exe
        16⤵
        Executes dropped EXE
        
        PID:7012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wusbmpls.zkx\GcleanerEU.exe /eufive & exit
        15⤵
        
        PID:6824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\f3vnvwze.acj\installer.exe /qn CAMPAIGN="654" & exit
        15⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\f3vnvwze.acj\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\f3vnvwze.acj\installer.exe /qn CAMPAIGN="654"
        16⤵
        
        PID:4540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ycrrq4co.5gn\hbggg.exe & exit
        15⤵
        Blocklisted process makes network request
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        
        PID:4684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\w5phbeiq.p4m\Setup3310.exe /Verysilent /subid=623 & exit
        15⤵
        
        PID:7568
        
        C:\Users\Admin\AppData\Local\Temp\w5phbeiq.p4m\Setup3310.exe
        
        C:\Users\Admin\AppData\Local\Temp\w5phbeiq.p4m\Setup3310.exe /Verysilent /subid=623
        16⤵
        
        PID:7672
        
        C:\Users\Admin\AppData\Local\Temp\is-OK1NT.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-OK1NT.tmp\Setup3310.tmp" /SL5="$20622,138429,56832,C:\Users\Admin\AppData\Local\Temp\w5phbeiq.p4m\Setup3310.exe" /Verysilent /subid=623
        17⤵
        
        PID:7696
        
        C:\Users\Admin\AppData\Local\Temp\is-JLA6M.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-JLA6M.tmp\Setup.exe" /Verysilent
        18⤵
        
        PID:7260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sus0mvy4.sdf\google-game.exe & exit
        15⤵
        
        PID:6592
        
        C:\Users\Admin\AppData\Local\Temp\sus0mvy4.sdf\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\sus0mvy4.sdf\google-game.exe
        16⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",getname
        17⤵
        
        PID:6416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yu3ns3ts.psl\setup.exe & exit
        15⤵
        
        PID:6292
        
        C:\Users\Admin\AppData\Local\Temp\yu3ns3ts.psl\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\yu3ns3ts.psl\setup.exe
        16⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\yu3ns3ts.psl\setup.exe"
        17⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        18⤵
        Runs ping.exe
        
        PID:8016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3nik5nu3.1iz\GcleanerWW.exe /mixone & exit
        15⤵
        
        PID:7580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ipocku3v.dsq\005.exe & exit
        15⤵
        
        PID:7740
        
        C:\Users\Admin\AppData\Local\Temp\ipocku3v.dsq\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\ipocku3v.dsq\005.exe
        16⤵
        
        PID:8032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pgy0dkb5.fcu\toolspab1.exe & exit
        15⤵
        
        PID:6148
        
        C:\Users\Admin\AppData\Local\Temp\pgy0dkb5.fcu\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\pgy0dkb5.fcu\toolspab1.exe
        16⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\pgy0dkb5.fcu\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\pgy0dkb5.fcu\toolspab1.exe
        17⤵
        
        PID:5488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uqrhdsre.32j\702564a0.exe & exit
        15⤵
        
        PID:5724
        
        C:\Users\Admin\AppData\Local\Temp\uqrhdsre.32j\702564a0.exe
        
        C:\Users\Admin\AppData\Local\Temp\uqrhdsre.32j\702564a0.exe
        16⤵
        
        PID:6716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\c0qd3k0b.tsx\installer.exe /qn CAMPAIGN="654" & exit
        15⤵
        
        PID:6900
        
        C:\Users\Admin\AppData\Local\Temp\c0qd3k0b.tsx\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0qd3k0b.tsx\installer.exe /qn CAMPAIGN="654"
        16⤵
        
        PID:7808
        
        C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe" /Verysilent
        11⤵
        Executes dropped EXE
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\is-8DHMO.tmp\Versium.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-8DHMO.tmp\Versium.tmp" /SL5="$2042A,138429,56832,C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe" /Verysilent
        12⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\is-VHNSO.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-VHNSO.tmp\Setup.exe" /Verysilent
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        14⤵
        
        PID:6724
        
        C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"
        11⤵
        Executes dropped EXE
        
        PID:5708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\theahpo4.nz2\google-game.exe & exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5568
        
        C:\Users\Admin\AppData\Local\Temp\theahpo4.nz2\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\theahpo4.nz2\google-game.exe
        8⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",getname
        9⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:5920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tkfhyutb.xnw\setup.exe & exit
        7⤵
        
        PID:5824
        
        C:\Users\Admin\AppData\Local\Temp\tkfhyutb.xnw\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\tkfhyutb.xnw\setup.exe
        8⤵
        Executes dropped EXE
        
        PID:6064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\tkfhyutb.xnw\setup.exe"
        9⤵
        Executes dropped EXE
        
        PID:6048
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        10⤵
        Runs ping.exe
        
        PID:5700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\e4xu2sek.vim\GcleanerWW.exe /mixone & exit
        7⤵
        
        PID:4484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ejrpfelu.gqv\005.exe & exit
        7⤵
        
        PID:5208
        
        C:\Users\Admin\AppData\Local\Temp\ejrpfelu.gqv\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\ejrpfelu.gqv\005.exe
        8⤵
        
        PID:6048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5u2hknfy.njr\toolspab1.exe & exit
        7⤵
        
        PID:8052
        
        C:\Users\Admin\AppData\Local\Temp\5u2hknfy.njr\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\5u2hknfy.njr\toolspab1.exe
        8⤵
        
        PID:7916
        
        C:\Users\Admin\AppData\Local\Temp\5u2hknfy.njr\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\5u2hknfy.njr\toolspab1.exe
        9⤵
        
        PID:5344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yfinpdlc.u3r\702564a0.exe & exit
        7⤵
        
        PID:5144
        
        C:\Users\Admin\AppData\Local\Temp\yfinpdlc.u3r\702564a0.exe
        
        C:\Users\Admin\AppData\Local\Temp\yfinpdlc.u3r\702564a0.exe
        8⤵
        
        PID:6616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\p5ocrlwi.j3w\installer.exe /qn CAMPAIGN="654" & exit
        7⤵
        
        PID:7724
        
        C:\Users\Admin\AppData\Local\Temp\p5ocrlwi.j3w\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\p5ocrlwi.j3w\installer.exe /qn CAMPAIGN="654"
        8⤵
        
        PID:2732
- C:\Users\Admin\AppData\Local\Temp\md4_4igk.exe
  "C:\Users\Admin\AppData\Local\Temp\md4_4igk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2064
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2064 -s 1312
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:432
- C:\Users\Admin\AppData\Local\Temp\sunlap.exe
  "C:\Users\Admin\AppData\Local\Temp\sunlap.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2456

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:364

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
PID:3216
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:6032

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4564

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4772

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 259D51DE82EC958FA4E89134C202698E C
  2⤵
  - Loads dropped DLL
  PID:4644
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E70300F78832A05B5783E8965261B540
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:5784
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:6020
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6D6740DA7A2A5D0A4121AF1ECB7300CF E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:6484

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4352

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5008

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:6816

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7352

C:\Users\Admin\AppData\Local\Temp\9FDB.exe
C:\Users\Admin\AppData\Local\Temp\9FDB.exe
1⤵
PID:7424

C:\Users\Admin\AppData\Local\Temp\A9AF.exe
C:\Users\Admin\AppData\Local\Temp\A9AF.exe
1⤵
PID:6004

C:\Users\Admin\AppData\Local\Temp\C249.exe
C:\Users\Admin\AppData\Local\Temp\C249.exe
1⤵
PID:3828
- C:\Users\Admin\AppData\Local\Temp\C249.exe
  C:\Users\Admin\AppData\Local\Temp\C249.exe
  2⤵
  PID:7588
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\bc5db6bb-9086-4fd4-94fd-0b6850a89c52" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:7756

C:\Users\Admin\AppData\Local\Temp\D46B.exe
C:\Users\Admin\AppData\Local\Temp\D46B.exe
1⤵
PID:7872
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qfgxula\
  2⤵
  PID:5560
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\tkgnedhl.exe" C:\Windows\SysWOW64\qfgxula\
  2⤵
  PID:7140
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create qfgxula binPath= "C:\Windows\SysWOW64\qfgxula\tkgnedhl.exe /d\"C:\Users\Admin\AppData\Local\Temp\D46B.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  PID:7448
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description qfgxula "wifi internet conection"
  2⤵
  PID:5056
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start qfgxula
  2⤵
  PID:6220
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  PID:6384

C:\Users\Admin\AppData\Local\Temp\DA57.exe
C:\Users\Admin\AppData\Local\Temp\DA57.exe
1⤵
PID:7528

C:\Users\Admin\AppData\Local\Temp\E0D1.exe
C:\Users\Admin\AppData\Local\Temp\E0D1.exe
1⤵
PID:188

C:\Users\Admin\AppData\Local\Temp\EB41.exe
C:\Users\Admin\AppData\Local\Temp\EB41.exe
1⤵
PID:7188

C:\Users\Admin\AppData\Local\Temp\F6EB.exe
C:\Users\Admin\AppData\Local\Temp\F6EB.exe
1⤵
PID:220

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7792

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3424

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1424

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5332

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2240

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6272

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6188

C:\Windows\SysWOW64\qfgxula\tkgnedhl.exe
C:\Windows\SysWOW64\qfgxula\tkgnedhl.exe /d"C:\Users\Admin\AppData\Local\Temp\D46B.exe"
1⤵
PID:7532

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1268

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery