elysiumstealer | 65fa93616cdb8c92a541dd2ad8468d6688e1b1f2606891b56db3e90fbfc9acbd

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	google-game.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	guihuali-game.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Mulidudeba.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Caejejaboma.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	google-game.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	google-game.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Vycefycaebae.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	keygen-step-4.exe

Loads dropped DLL 64 IoCs

pid	Process
3936	rundll32.exe
3552	Install.tmp
3748	installer.exe
3748	installer.exe
3748	installer.exe
5220	MsiExec.exe
5220	MsiExec.exe
5864	Conhost.exe
5864	Conhost.exe
5980	MsiExec.exe
2260	MsiExec.exe
2260	MsiExec.exe
2260	MsiExec.exe
2260	MsiExec.exe
2260	MsiExec.exe
2260	MsiExec.exe
2260	MsiExec.exe
5664	lylal220.tmp
6044	LabPicV3.tmp
2260	MsiExec.exe
2260	MsiExec.exe
2260	MsiExec.exe
3748	installer.exe
2260	MsiExec.exe
2260	MsiExec.exe
6464	rUNdlL32.eXe
2204	i-record.exe
2204	i-record.exe
2204	i-record.exe
2204	i-record.exe
2204	i-record.exe
2204	i-record.exe
2204	i-record.exe
2204	i-record.exe
5980	MsiExec.exe
5980	MsiExec.exe
5980	MsiExec.exe
5980	MsiExec.exe
5980	MsiExec.exe
5980	MsiExec.exe
5980	MsiExec.exe
2260	MsiExec.exe
5284	installer.exe
5284	installer.exe
2256	toolspab1.exe
6424	Setup3310.tmp
6424	Setup3310.tmp
5500	DllHost.exe
5500	DllHost.exe
5356	rUNdlL32.eXe
1552	rUNdlL32.eXe
4124	installer.exe
4124	installer.exe
4124	installer.exe
6516	MsiExec.exe
6516	MsiExec.exe
5728	toolspab1.exe
4376	702564a0.exe
6172	MsiExec.exe
6172	MsiExec.exe
6172	MsiExec.exe
6172	MsiExec.exe
6172	MsiExec.exe
6172	MsiExec.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Adobe\\Benaxohaji.exe\""	Ultra.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gaoou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	7218898.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\UltraMediaBurner\\Nifiloxyshae.exe\""	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Xaexoregyxi.exe\""	___________RUb__________y.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg6_6asg.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\V:	installer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
79	ip-api.com
120	ipinfo.io
126	ipinfo.io
252	ip-api.com
319	ipinfo.io
322	ipinfo.io
329	ipinfo.io

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 0F8421951BDA3536	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #1	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedUpdater	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #2	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #6	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 252B84AE29BA78D7	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #3	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #5	svchost.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 3196 set thread context of 932	3196	svchost.exe	80
PID 3196 set thread context of 3780	3196	svchost.exe	86
PID 6984 set thread context of 2256	6984	toolspab1.exe	174
PID 3952 set thread context of 5728	3952	toolspab1.exe	255
PID 6080 set thread context of 3564	6080	toolspab1.exe	256
PID 6432 set thread context of 5952	6432	uahatfe	298
PID 5000 set thread context of 4500	5000	uahatfe	326

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\install.dll	xiuhuali.exe
File created	C:\Program Files (x86)\Picture Lab\is-9KPRS.tmp	prolab.tmp
File created	C:\Program Files (x86)\recording\is-PJCED.tmp	irecord.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe	Setup.exe
File created	C:\Program Files (x86)\recording\unins000.dat	irecord.tmp
File created	C:\Program Files (x86)\recording\is-10G4Q.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-MK0AJ.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-QLA2U.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\unins000.dat	irecord.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-4S8IO.tmp	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\DockingToolbar.dll	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-A50J3.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-IOENT.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe	Setup.exe
File created	C:\Program Files (x86)\Picture Lab\is-OHPQ1.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe	Setup.exe
File created	C:\Program Files (x86)\Picture Lab\is-UV824.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\recording\AForge.Video.FFMPEG.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\swresample-0.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\Uninstall.exe	Setup.exe
File created	C:\Program Files\Windows Portable Devices\IKAUBVITVL\prolab.exe	Conhost.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\SourceGrid2.dll	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-84O18.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-3M31L.tmp	prolab.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\Nifiloxyshae.exe.config	Conhost.exe
File opened for modification	C:\Program Files (x86)\recording\AForge.Video.dll	irecord.tmp
File created	C:\Program Files (x86)\WindowsPowerShell\Xaexoregyxi.exe	___________RUb__________y.exe
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe	Setup.exe
File created	C:\Program Files\Windows Defender\DHHTXRAAXU\irecord.exe.config	___________RUb__________y.exe
File opened for modification	C:\Program Files (x86)\recording\avcodec-53.dll	irecord.tmp
File created	C:\Program Files (x86)\recording\is-KB40M.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-RDCE5.tmp	irecord.tmp
File created	C:\Program Files\libEGL.dll	xiuhuali.exe
File created	C:\Program Files\Windows Photo Viewer\EHNMVIERBM\ultramediaburner.exe.config	Ultra.exe
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe	Setup.exe
File created	C:\Program Files\Windows Portable Devices\IKAUBVITVL\prolab.exe.config	Conhost.exe
File created	C:\Program Files (x86)\Picture Lab\is-IJI31.tmp	prolab.tmp
File created	C:\Program Files (x86)\recording\is-HQ0EI.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File created	C:\Program Files (x86)\Data Finder\Versium Research\Uninstall.ini	Setup.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.Math.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.dll	prolab.tmp
File created	C:\Program Files (x86)\recording\is-F1E3E.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-HMGDL.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\Adobe\Benaxohaji.exe.config	Ultra.exe
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.Imaging.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\Pictures Lab.exe	prolab.tmp
File opened for modification	C:\Program Files (x86)\recording\postproc-52.dll	irecord.tmp
File created	C:\Program Files (x86)\recording\is-91PMO.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-4R0FI.tmp	irecord.tmp
File created	C:\Program Files (x86)\Picture Lab\unins000.dat	prolab.tmp
File opened for modification	C:\Program Files (x86)\recording\unins000.exe	irecord.tmp
File created	C:\Program Files (x86)\WindowsPowerShell\Xaexoregyxi.exe.config	___________RUb__________y.exe
File created	C:\Program Files (x86)\Picture Lab\is-N7JS9.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\unins000.dat	prolab.tmp
File opened for modification	C:\Program Files (x86)\recording\avdevice-53.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\avfilter-2.dll	irecord.tmp
File created	C:\Program Files (x86)\recording\is-NMQC7.tmp	irecord.tmp

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIB42C.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2BC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8F93.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9149.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9D44.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE77C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA62.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSI9AFF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEC79.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF0E0.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE74C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE7DC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9997.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBB63.tmp	msiexec.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\Installer\MSI7BB8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9E9D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF7BA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI144.tmp	msiexec.exe
File created	C:\Windows\Installer\f748b7d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE803.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE85A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC49.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9A2E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB013.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB321.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEECC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8CB2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9BCB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBEA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI963E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI97C7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f748b7d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE632.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICF8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7923.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI483.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE926.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI415.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7AF8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7BD8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI910C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9893.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB5F2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF3E0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI90CD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9950.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9990.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB97D.tmp	msiexec.exe
File created	C:\Windows\Installer\f748b80.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE7AC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4B3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7B38.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8CE2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8DFC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9C69.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
5960	6216	WerFault.exe	149
4116	6232	WerFault.exe	276
4764	6448	WerFault.exe	151
904	6632	WerFault.exe	327
4752	4108	WerFault.exe	330
4716	6656	WerFault.exe	347
9764	9692	WerFault.exe	355

Checks SCSI registry key(s) 3 TTPs 24 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uahatfe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bhhatfe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bhhatfe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uahatfe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bhhatfe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bhhatfe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	702564a0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	702564a0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uahatfe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uahatfe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uahatfe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bhhatfe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	702564a0.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	702564a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	702564a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	702564a0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bhhatfe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uahatfe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	installer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	9C5B.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	9C5B.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
6716	timeout.exe
5480	timeout.exe
1908	timeout.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
5804	taskkill.exe
6588	taskkill.exe
6112	taskkill.exe
5508	taskkill.exe
4972	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\18	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\16\52C64B7E	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\17\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates\4EEF7FAF0062D34ABEE = 0300000001000000140000004eef7faf0062d34abee6137e774438ae9988739f04000000010000001000000024d7172657e6b799f66cf32ae88b5c280f0000000100000020000000547b3c62613c9c2b025d5461623ae703e9853ee45a8bf3b425bf63528e992912140000000100000014000000fe7e60dd9d8292295edf1cf80869a75b98896ed01900000001000000100000002aac2185e0e1b6503eb16a495b1815fc5c0000000100000004000000000800001800000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d702000000001000000eb050000308205e7308203cfa003020102021333000001a636dabe8bbe573d9a0000000001a6300d06092a864886f70d01010b0500307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f667420536563757265205365727665722043412032303131301e170d3231303331313139323835325a170d3232303631313139323835325a3081a9310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e310d300b060355040b130442696e67311b301906035504031312494520496e737472756d656e746174696f6e3127302506092a864886f70d010901161862696e6769657465616d406d6963726f736f66742e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d0b49f5b650f0fa690df343367a2cd62155e98e3c0fc14cb1f696618be8c327ef257f50d47bce3a4286e36edc0382e0ac81096dbce62463bb552970d01d02a7ca642d6faed9b5878c4e2e33e7c9f94ea4eb7f125662d5d2fe78138ce3e827bd98969028a908fab20632542a1ef952c10382b7efcaae1f5e7521d5fb617a93aa002b579a3203726111c73a9832712e3b5d4d140b247c91824de8123b45ea39fbcdb6e5c77d68cd3db64dd24844a1879865356f655cf1c5d94b208e244bd075a9823c87af7bcad6aab52e3444aad2947a7baad0d42c9d785964dbd8b4e09004359094d0646c3ca98e7c698b0fa7d6f1606b1459fd6df8d9aea8ae85911789bc5e10203010001a38201303082012c300e0603551d0f0101ff0404030204f030150603551d25040e300c060a2b0601040182374c0c01301d0603551d0e04160414fe7e60dd9d8292295edf1cf80869a75b98896ed0301f0603551d230418301680143656896549cb5b9b2f3cac4216504d91b933d79130530603551d1f044c304a3048a046a0448642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63726c2f4d69635365635365724341323031315f323031312d31302d31382e63726c306006082b0601050507010104543052305006082b060105050730028644687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63657274732f4d69635365635365724341323031315f323031312d31302d31382e637274300c0603551d130101ff04023000300d06092a864886f70d01010b05000382020100c1055e1c6ece899cbff031668bd0b72ee668484f9392c48efe112ba21c521af47582849539f2fd53f7f8adecc243743211150de90b106e6bdaaedb88a8fc71aff2bd4bfeae5628507aa3b47095bf680a0a56bc6cb9c70871fa0b05857bf1762af884469264870c4139f7f9e93bbedaf73a867994c51e7c8473506f1ca68a8f9059cfa5c068be7ecade98315eebd7e71431ebe7d033b4fc8056d94ab70b03e1368082fc83a82cd632b9f3a03f9c9d51881c39b432ee9856e87835bc0481e57489da3590d20b2b9b0900704de861f994d956a2c0347178c59e5048bb9bbfbe8cef237d5860d7f407dcbce486eee7d98a90509a8f1b81445453326b139f0d2fdc68b831681fa96f2284b8153e3dbe60cb2d0ac030d0e2ecfc85c9d361c25e01cabe57cd6ebdc40708b2bd449152e90d2d45d725db856ab64d29a9fdb9fdb85f6354cbd5be240f4b71fa745db8eb32c0e4ea4747bfa5a4f9a5346e42b3379636d05e52225cea1baa7792b8f51b803658026b11fd0ab5877a99f4e74ff994c61177ea425554a7135d8b020661d2d285eb8bf1aa00d3bf78e2f5dba62cd7befdb85fffe6c1b65643f56fe36cf412f366b03bc8c78c852c1ed43a218256636d67eb8241477d3258af4f96b9698b0326d6d01826734eb18f1b393cbf85c0f9fdab4fb854536110f2f678003f80f270cbb1fbeb5ba09523f959dfeba84319577874e4dec0	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Discuz!	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\traction.netflowcorp.com\ = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	guihuali-game.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpCleanupState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdom = "32"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\argument.netflowcorp.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\restrict.netflowcorp.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdom = "84"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\distance.netflowcorp.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 68308eb69954d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "76"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\netflowcorp.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\discreet.netflowcorp.com	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164C = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "162"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\declaration.netflowcorp.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\new.netflowcorp.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdom = "59"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\restrict.netflowcorp.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\profound.netflowcorp.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdom = "26"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\alert.netflowcorp.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "9"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\report.netflowcorp.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\brandnew.netflowcorp.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdom = "91"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{QJ2559JN-BF7A-LM2A-20M4-JBF9M43Q7G3S}\1 = "5084"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "29"	MicrosoftEdgeCP.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	filee.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	filee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4120	PING.EXE

Script User-Agent 24 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	129	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	325	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	329	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	330	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	346	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	354	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	355	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	125	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	455	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	392	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	162	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	322	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	345	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	348	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	151	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	240	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	320	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	324	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	126	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	261	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	347	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	375	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	387	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	148	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3936	rundll32.exe
3936	rundll32.exe
3196	svchost.exe
3196	svchost.exe
3196	svchost.exe
3196	svchost.exe
1344	ultramediaburner.tmp
1344	ultramediaburner.tmp
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe
4212	Haefibofuqu.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3016	Process not Found

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
724	Process not Found
724	Process not Found
724	Process not Found
2256	toolspab1.exe
6140	MicrosoftEdgeCP.exe
6140	MicrosoftEdgeCP.exe
5728	toolspab1.exe
4376	702564a0.exe
4580	702564a0.exe
6140	MicrosoftEdgeCP.exe
6140	MicrosoftEdgeCP.exe
5952	uahatfe
5576	bhhatfe
6140	MicrosoftEdgeCP.exe
6140	MicrosoftEdgeCP.exe
6140	MicrosoftEdgeCP.exe
6140	MicrosoftEdgeCP.exe
6140	MicrosoftEdgeCP.exe
6140	MicrosoftEdgeCP.exe
6140	MicrosoftEdgeCP.exe
6140	MicrosoftEdgeCP.exe
6140	MicrosoftEdgeCP.exe
6140	MicrosoftEdgeCP.exe
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
5336	explorer.exe
5336	explorer.exe
5336	explorer.exe
5336	explorer.exe
5336	explorer.exe
5336	explorer.exe
5336	explorer.exe
5336	explorer.exe
5336	explorer.exe
5336	explorer.exe
5336	explorer.exe
5336	explorer.exe
5336	explorer.exe
5336	explorer.exe
5336	explorer.exe
5336	explorer.exe
5336	explorer.exe
5336	explorer.exe
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
7108	explorer.exe
7108	explorer.exe
7108	explorer.exe
7108	explorer.exe
7108	explorer.exe
7108	explorer.exe
7108	explorer.exe
7108	explorer.exe
7108	explorer.exe
7108	explorer.exe
7108	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3936	rundll32.exe
Token: SeTcbPrivilege	3196	svchost.exe
Token: SeDebugPrivilege	3936	rundll32.exe
Token: SeDebugPrivilege	3936	rundll32.exe
Token: SeDebugPrivilege	3936	rundll32.exe
Token: SeDebugPrivilege	3936	rundll32.exe
Token: SeDebugPrivilege	2568	JoSetp.exe
Token: SeDebugPrivilege	3936	rundll32.exe
Token: SeDebugPrivilege	3936	rundll32.exe
Token: SeDebugPrivilege	3936	rundll32.exe
Token: SeDebugPrivilege	3936	rundll32.exe
Token: SeDebugPrivilege	3936	rundll32.exe
Token: SeDebugPrivilege	3936	rundll32.exe
Token: SeDebugPrivilege	3936	rundll32.exe
Token: SeDebugPrivilege	3936	rundll32.exe
Token: SeDebugPrivilege	3564	Ultra.exe
Token: SeTcbPrivilege	3196	svchost.exe
Token: SeAuditPrivilege	2408	svchost.exe
Token: SeDebugPrivilege	4136	Vycefycaebae.exe
Token: SeDebugPrivilege	4212	Haefibofuqu.exe
Token: SeAssignPrimaryTokenPrivilege	2672	svchost.exe
Token: SeIncreaseQuotaPrivilege	2672	svchost.exe
Token: SeSecurityPrivilege	2672	svchost.exe
Token: SeTakeOwnershipPrivilege	2672	svchost.exe
Token: SeLoadDriverPrivilege	2672	svchost.exe
Token: SeSystemtimePrivilege	2672	svchost.exe
Token: SeBackupPrivilege	2672	svchost.exe
Token: SeRestorePrivilege	2672	svchost.exe
Token: SeShutdownPrivilege	2672	svchost.exe
Token: SeSystemEnvironmentPrivilege	2672	svchost.exe
Token: SeUndockPrivilege	2672	svchost.exe
Token: SeManageVolumePrivilege	2672	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2672	svchost.exe
Token: SeIncreaseQuotaPrivilege	2672	svchost.exe
Token: SeSecurityPrivilege	2672	svchost.exe
Token: SeTakeOwnershipPrivilege	2672	svchost.exe
Token: SeLoadDriverPrivilege	2672	svchost.exe
Token: SeSystemtimePrivilege	2672	svchost.exe
Token: SeBackupPrivilege	2672	svchost.exe
Token: SeRestorePrivilege	2672	svchost.exe
Token: SeShutdownPrivilege	2672	svchost.exe
Token: SeSystemEnvironmentPrivilege	2672	svchost.exe
Token: SeUndockPrivilege	2672	svchost.exe
Token: SeManageVolumePrivilege	2672	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2672	svchost.exe
Token: SeIncreaseQuotaPrivilege	2672	svchost.exe
Token: SeSecurityPrivilege	2672	svchost.exe
Token: SeTakeOwnershipPrivilege	2672	svchost.exe
Token: SeLoadDriverPrivilege	2672	svchost.exe
Token: SeSystemtimePrivilege	2672	svchost.exe
Token: SeBackupPrivilege	2672	svchost.exe
Token: SeRestorePrivilege	2672	svchost.exe
Token: SeShutdownPrivilege	2672	svchost.exe
Token: SeSystemEnvironmentPrivilege	2672	svchost.exe
Token: SeUndockPrivilege	2672	svchost.exe
Token: SeManageVolumePrivilege	2672	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2672	svchost.exe
Token: SeIncreaseQuotaPrivilege	2672	svchost.exe
Token: SeSecurityPrivilege	2672	svchost.exe
Token: SeTakeOwnershipPrivilege	2672	svchost.exe
Token: SeLoadDriverPrivilege	2672	svchost.exe
Token: SeSystemtimePrivilege	2672	svchost.exe
Token: SeBackupPrivilege	2672	svchost.exe
Token: SeRestorePrivilege	2672	svchost.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
1344	ultramediaburner.tmp
3748	installer.exe
5864	Conhost.exe
6988	prolab.tmp
7136	irecord.tmp
6424	Setup3310.tmp
5500	DllHost.exe
4124	installer.exe
4480	installer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1968	xiuhuali.exe
1968	xiuhuali.exe
4724	MicrosoftEdge.exe
724	Process not Found
724	Process not Found
3004	MicrosoftEdge.exe
6140	MicrosoftEdgeCP.exe
6140	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3016	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 500 wrote to memory of 1968	500	keygen-step-4.exe	76
PID 500 wrote to memory of 1968	500	keygen-step-4.exe	76
PID 500 wrote to memory of 1968	500	keygen-step-4.exe	76
PID 1968 wrote to memory of 3936	1968	xiuhuali.exe	78
PID 1968 wrote to memory of 3936	1968	xiuhuali.exe	78
PID 1968 wrote to memory of 3936	1968	xiuhuali.exe	78
PID 500 wrote to memory of 2568	500	keygen-step-4.exe	79
PID 500 wrote to memory of 2568	500	keygen-step-4.exe	79
PID 3936 wrote to memory of 3196	3936	rundll32.exe	71
PID 3196 wrote to memory of 932	3196	svchost.exe	80
PID 3196 wrote to memory of 932	3196	svchost.exe	80
PID 3936 wrote to memory of 2760	3936	rundll32.exe	32
PID 3196 wrote to memory of 932	3196	svchost.exe	80
PID 3936 wrote to memory of 68	3936	rundll32.exe	62
PID 3936 wrote to memory of 2400	3936	rundll32.exe	39
PID 3936 wrote to memory of 2408	3936	rundll32.exe	20
PID 3936 wrote to memory of 1108	3936	rundll32.exe	57
PID 3936 wrote to memory of 412	3936	rundll32.exe	59
PID 3936 wrote to memory of 1412	3936	rundll32.exe	13
PID 3936 wrote to memory of 1944	3936	rundll32.exe	18
PID 3936 wrote to memory of 1240	3936	rundll32.exe	11
PID 3936 wrote to memory of 1332	3936	rundll32.exe	16
PID 3936 wrote to memory of 2672	3936	rundll32.exe	35
PID 3936 wrote to memory of 2688	3936	rundll32.exe	34
PID 500 wrote to memory of 188	500	keygen-step-4.exe	81
PID 500 wrote to memory of 188	500	keygen-step-4.exe	81
PID 500 wrote to memory of 188	500	keygen-step-4.exe	81
PID 188 wrote to memory of 3552	188	Install.exe	82
PID 188 wrote to memory of 3552	188	Install.exe	82
PID 188 wrote to memory of 3552	188	Install.exe	82
PID 3552 wrote to memory of 3564	3552	Install.tmp	83
PID 3552 wrote to memory of 3564	3552	Install.tmp	83
PID 3196 wrote to memory of 3780	3196	svchost.exe	86
PID 3196 wrote to memory of 3780	3196	svchost.exe	86
PID 3196 wrote to memory of 3780	3196	svchost.exe	86
PID 3564 wrote to memory of 4008	3564	Ultra.exe	87
PID 3564 wrote to memory of 4008	3564	Ultra.exe	87
PID 3564 wrote to memory of 4008	3564	Ultra.exe	87
PID 4008 wrote to memory of 1344	4008	ultramediaburner.exe	88
PID 4008 wrote to memory of 1344	4008	ultramediaburner.exe	88
PID 4008 wrote to memory of 1344	4008	ultramediaburner.exe	88
PID 3564 wrote to memory of 4136	3564	Ultra.exe	90
PID 3564 wrote to memory of 4136	3564	Ultra.exe	90
PID 1344 wrote to memory of 4176	1344	ultramediaburner.tmp	91
PID 1344 wrote to memory of 4176	1344	ultramediaburner.tmp	91
PID 3564 wrote to memory of 4212	3564	Ultra.exe	92
PID 3564 wrote to memory of 4212	3564	Ultra.exe	92
PID 500 wrote to memory of 4316	500	keygen-step-4.exe	93
PID 500 wrote to memory of 4316	500	keygen-step-4.exe	93
PID 500 wrote to memory of 4316	500	keygen-step-4.exe	93
PID 4212 wrote to memory of 1004	4212	Haefibofuqu.exe	231
PID 4212 wrote to memory of 1004	4212	Haefibofuqu.exe	231
PID 4316 wrote to memory of 2720	4316	filee.exe	100
PID 4316 wrote to memory of 2720	4316	filee.exe	100
PID 4316 wrote to memory of 2720	4316	filee.exe	100
PID 2720 wrote to memory of 4120	2720	cmd.exe	102
PID 2720 wrote to memory of 4120	2720	cmd.exe	102
PID 2720 wrote to memory of 4120	2720	cmd.exe	102
PID 1004 wrote to memory of 4888	1004	jfiag3g_gg.exe	109
PID 1004 wrote to memory of 4888	1004	jfiag3g_gg.exe	109
PID 1004 wrote to memory of 4888	1004	jfiag3g_gg.exe	109
PID 4212 wrote to memory of 4968	4212	Haefibofuqu.exe	107
PID 4212 wrote to memory of 4968	4212	Haefibofuqu.exe	107
PID 500 wrote to memory of 3200	500	keygen-step-4.exe	105

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1240

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1412

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1332

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1944

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2408

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2760

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
- Modifies registry class
PID:2688

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2672

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2400

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1108

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:412
- C:\Users\Admin\AppData\Roaming\uahatfe
  C:\Users\Admin\AppData\Roaming\uahatfe
  2⤵
  - Suspicious use of SetThreadContext
  PID:6432
- - C:\Users\Admin\AppData\Roaming\uahatfe
    C:\Users\Admin\AppData\Roaming\uahatfe
    3⤵
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:5952
- C:\Users\Admin\AppData\Roaming\bhhatfe
  C:\Users\Admin\AppData\Roaming\bhhatfe
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:5576
- C:\Users\Admin\AppData\Roaming\uahatfe
  C:\Users\Admin\AppData\Roaming\uahatfe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5000
- - C:\Users\Admin\AppData\Roaming\uahatfe
    C:\Users\Admin\AppData\Roaming\uahatfe
    3⤵
    - Checks SCSI registry key(s)
    PID:4500
- C:\Users\Admin\AppData\Roaming\bhhatfe
  C:\Users\Admin\AppData\Roaming\bhhatfe
  2⤵
  - Checks SCSI registry key(s)
  PID:4556
- C:\Users\Admin\AppData\Roaming\uahatfe
  C:\Users\Admin\AppData\Roaming\uahatfe
  2⤵
  PID:8856
- C:\Users\Admin\AppData\Roaming\bhhatfe
  C:\Users\Admin\AppData\Roaming\bhhatfe
  2⤵
  PID:8868

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:68

C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:500
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3936
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2568
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:188
- - C:\Users\Admin\AppData\Local\Temp\is-QCHBP.tmp\Install.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-QCHBP.tmp\Install.tmp" /SL5="$60080,235791,152064,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3552
  - - C:\Users\Admin\AppData\Local\Temp\is-3JTM4.tmp\Ultra.exe
      "C:\Users\Admin\AppData\Local\Temp\is-3JTM4.tmp\Ultra.exe" /S /UID=burnerch1
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3564
    - - C:\Program Files\Windows Photo Viewer\EHNMVIERBM\ultramediaburner.exe
        
        "C:\Program Files\Windows Photo Viewer\EHNMVIERBM\ultramediaburner.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4008
      - C:\Users\Admin\AppData\Local\Temp\is-IUMQR.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-IUMQR.tmp\ultramediaburner.tmp" /SL5="$301B6,281924,62464,C:\Program Files\Windows Photo Viewer\EHNMVIERBM\ultramediaburner.exe" /VERYSILENT
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        7⤵
        Executes dropped EXE
        
        PID:4176
    - - C:\Users\Admin\AppData\Local\Temp\20-a84a1-328-b96a3-5ae69015721ee\Vycefycaebae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\20-a84a1-328-b96a3-5ae69015721ee\Vycefycaebae.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4136
    - - C:\Users\Admin\AppData\Local\Temp\35-cf8b4-ecf-e6db1-575242aa88087\Haefibofuqu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\35-cf8b4-ecf-e6db1-575242aa88087\Haefibofuqu.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4212
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nlojiyee.4vf\001.exe & exit
        6⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\nlojiyee.4vf\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\nlojiyee.4vf\001.exe
        7⤵
        
        PID:4888
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\31i2hlln.bll\GcleanerEU.exe /eufive & exit
        6⤵
        
        PID:4968
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uuszpsw4.3kp\installer.exe /qn CAMPAIGN="654" & exit
        6⤵
        
        PID:4900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Executes dropped EXE
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\uuszpsw4.3kp\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\uuszpsw4.3kp\installer.exe /qn CAMPAIGN="654"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        
        PID:3748
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\uuszpsw4.3kp\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\uuszpsw4.3kp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1622039167 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        8⤵
        
        PID:5580
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\to2cr3by.gux\gaoou.exe & exit
        6⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\to2cr3by.gux\gaoou.exe
        
        C:\Users\Admin\AppData\Local\Temp\to2cr3by.gux\gaoou.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:6080
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:5844
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:7852
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\31ywuqrm.fov\Setup3310.exe /Verysilent /subid=623 & exit
        6⤵
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\31ywuqrm.fov\Setup3310.exe
        
        C:\Users\Admin\AppData\Local\Temp\31ywuqrm.fov\Setup3310.exe /Verysilent /subid=623
        7⤵
        Executes dropped EXE
        
        PID:5760
        
        C:\Users\Admin\AppData\Local\Temp\is-P8EF5.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-P8EF5.tmp\Setup3310.tmp" /SL5="$203FE,138429,56832,C:\Users\Admin\AppData\Local\Temp\31ywuqrm.fov\Setup3310.exe" /Verysilent /subid=623
        8⤵
        
        PID:5864
        
        C:\Users\Admin\AppData\Local\Temp\is-193P8.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-193P8.tmp\Setup.exe" /Verysilent
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:5924
        
        C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"
        10⤵
        Executes dropped EXE
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        11⤵
        Executes dropped EXE
        
        PID:5920
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        11⤵
        Executes dropped EXE
        
        PID:6228
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        11⤵
        
        PID:5356
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        11⤵
        
        PID:8008
        
        C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"
        10⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit
        11⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im RunWW.exe /f
        12⤵
        Executes dropped EXE
        Kills process with taskkill
        
        PID:5508
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        12⤵
        Delays execution with timeout.exe
        
        PID:6716
        
        C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
        11⤵
        Loads dropped DLL
        
        PID:6464
        
        C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
        10⤵
        
        PID:5508
        
        C:\Users\Admin\AppData\Local\Temp\is-91FCJ.tmp\LabPicV3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-91FCJ.tmp\LabPicV3.tmp" /SL5="$104D4,140559,56832,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6044
        
        C:\Users\Admin\AppData\Local\Temp\is-NPOGI.tmp\___________23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-NPOGI.tmp\___________23.exe" /S /UID=lab214
        12⤵
        
        PID:5716
        
        C:\Program Files\Windows Portable Devices\IKAUBVITVL\prolab.exe
        
        "C:\Program Files\Windows Portable Devices\IKAUBVITVL\prolab.exe" /VERYSILENT
        13⤵
        Executes dropped EXE
        
        PID:6944
        
        C:\Users\Admin\AppData\Local\Temp\is-CLCFA.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-CLCFA.tmp\prolab.tmp" /SL5="$50496,575243,216576,C:\Program Files\Windows Portable Devices\IKAUBVITVL\prolab.exe" /VERYSILENT
        14⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:6988
        
        C:\Users\Admin\AppData\Local\Temp\dd-54c4f-fc8-6c19b-176dd911d1f8b\Caejejaboma.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dd-54c4f-fc8-6c19b-176dd911d1f8b\Caejejaboma.exe"
        13⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:7088
        
        C:\Users\Admin\AppData\Local\Temp\71-21f23-b45-208b6-80fbeccac4d5d\ZHyrigecaeqy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\71-21f23-b45-208b6-80fbeccac4d5d\ZHyrigecaeqy.exe"
        13⤵
        Executes dropped EXE
        
        PID:2284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ktksnfgy.sd2\001.exe & exit
        14⤵
        
        PID:5684
        
        C:\Users\Admin\AppData\Local\Temp\ktksnfgy.sd2\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\ktksnfgy.sd2\001.exe
        15⤵
        
        PID:6232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cipxtjtf.cbf\GcleanerEU.exe /eufive & exit
        14⤵
        
        PID:5552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2cqr3ou4.o31\installer.exe /qn CAMPAIGN="654" & exit
        14⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\2cqr3ou4.o31\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\2cqr3ou4.o31\installer.exe /qn CAMPAIGN="654"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:5284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\025mm1zd.3og\gaoou.exe & exit
        14⤵
        
        PID:6956
        
        C:\Users\Admin\AppData\Local\Temp\025mm1zd.3og\gaoou.exe
        
        C:\Users\Admin\AppData\Local\Temp\025mm1zd.3og\gaoou.exe
        15⤵
        Executes dropped EXE
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        16⤵
        
        PID:5436
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        16⤵
        
        PID:5712
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        16⤵
        
        PID:7536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pcr4lzls.oaj\Setup3310.exe /Verysilent /subid=623 & exit
        14⤵
        
        PID:3860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        
        PID:5864
        
        C:\Users\Admin\AppData\Local\Temp\pcr4lzls.oaj\Setup3310.exe
        
        C:\Users\Admin\AppData\Local\Temp\pcr4lzls.oaj\Setup3310.exe /Verysilent /subid=623
        15⤵
        Executes dropped EXE
        
        PID:5676
        
        C:\Users\Admin\AppData\Local\Temp\is-HFEMK.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HFEMK.tmp\Setup3310.tmp" /SL5="$30324,138429,56832,C:\Users\Admin\AppData\Local\Temp\pcr4lzls.oaj\Setup3310.exe" /Verysilent /subid=623
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        
        PID:6424
        
        C:\Users\Admin\AppData\Local\Temp\is-TEN9L.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-TEN9L.tmp\Setup.exe" /Verysilent
        17⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cgxwfxus.3vk\google-game.exe & exit
        14⤵
        
        PID:6112
        
        C:\Users\Admin\AppData\Local\Temp\cgxwfxus.3vk\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\cgxwfxus.3vk\google-game.exe
        15⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:5068
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",shl
        16⤵
        Loads dropped DLL
        
        PID:5356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\refawvmg.phv\005.exe & exit
        14⤵
        
        PID:5404
        
        C:\Users\Admin\AppData\Local\Temp\refawvmg.phv\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\refawvmg.phv\005.exe
        15⤵
        
        PID:6056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1ux4zq0q.1jm\toolspab1.exe & exit
        14⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\1ux4zq0q.1jm\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ux4zq0q.1jm\toolspab1.exe
        15⤵
        Suspicious use of SetThreadContext
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\1ux4zq0q.1jm\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ux4zq0q.1jm\toolspab1.exe
        16⤵
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:5728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5phksm5q.wzp\GcleanerWW.exe /mixone & exit
        14⤵
        
        PID:4736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\u0nue2p1.cl2\installer.exe /qn CAMPAIGN="654" & exit
        14⤵
        
        PID:5948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:5716
        
        C:\Users\Admin\AppData\Local\Temp\u0nue2p1.cl2\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\u0nue2p1.cl2\installer.exe /qn CAMPAIGN="654"
        15⤵
        Enumerates connected drives
        Suspicious use of FindShellTrayWindow
        
        PID:4480
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\u0nue2p1.cl2\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\u0nue2p1.cl2\ EXE_CMD_LINE="/forcecleanup /wintime 1622039167 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        16⤵
        
        PID:5112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aqaboblo.x4z\702564a0.exe & exit
        14⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\aqaboblo.x4z\702564a0.exe
        
        C:\Users\Admin\AppData\Local\Temp\aqaboblo.x4z\702564a0.exe
        15⤵
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:4580
        
        C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
        10⤵
        Executes dropped EXE
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\is-HFA6N.tmp\lylal220.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HFA6N.tmp\lylal220.tmp" /SL5="$104D6,140518,56832,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5664
        
        C:\Users\Admin\AppData\Local\Temp\is-NPOGH.tmp\___________RUb__________y.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-NPOGH.tmp\___________RUb__________y.exe" /S /UID=lylal220
        12⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:6008
        
        C:\Program Files\Windows Defender\DHHTXRAAXU\irecord.exe
        
        "C:\Program Files\Windows Defender\DHHTXRAAXU\irecord.exe" /VERYSILENT
        13⤵
        Executes dropped EXE
        
        PID:7040
        
        C:\Users\Admin\AppData\Local\Temp\is-T1I3I.tmp\irecord.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-T1I3I.tmp\irecord.tmp" /SL5="$104F8,6139911,56832,C:\Program Files\Windows Defender\DHHTXRAAXU\irecord.exe" /VERYSILENT
        14⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:7136
        
        C:\Program Files (x86)\recording\i-record.exe
        
        "C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\be-0e48a-5f3-0dfb9-56ffb66369aab\Mulidudeba.exe
        
        "C:\Users\Admin\AppData\Local\Temp\be-0e48a-5f3-0dfb9-56ffb66369aab\Mulidudeba.exe"
        13⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\39-225cb-e13-37ebe-5d79ff7368e3e\Nifiloxyshae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\39-225cb-e13-37ebe-5d79ff7368e3e\Nifiloxyshae.exe"
        13⤵
        Executes dropped EXE
        
        PID:6200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hs5on2s3.azq\001.exe & exit
        14⤵
        
        PID:6012
        
        C:\Users\Admin\AppData\Local\Temp\hs5on2s3.azq\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\hs5on2s3.azq\001.exe
        15⤵
        Executes dropped EXE
        
        PID:7160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dfz1c44b.yvn\GcleanerEU.exe /eufive & exit
        14⤵
        
        PID:2540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4tizvjjx.hic\installer.exe /qn CAMPAIGN="654" & exit
        14⤵
        
        PID:5808
        
        C:\Users\Admin\AppData\Local\Temp\4tizvjjx.hic\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\4tizvjjx.hic\installer.exe /qn CAMPAIGN="654"
        15⤵
        Executes dropped EXE
        
        PID:6012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qn3pxouf.hjm\gaoou.exe & exit
        14⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\qn3pxouf.hjm\gaoou.exe
        
        C:\Users\Admin\AppData\Local\Temp\qn3pxouf.hjm\gaoou.exe
        15⤵
        Executes dropped EXE
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        16⤵
        Executes dropped EXE
        
        PID:5224
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        16⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        16⤵
        
        PID:6416
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        16⤵
        
        PID:7428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4r2amwbm.mb5\Setup3310.exe /Verysilent /subid=623 & exit
        14⤵
        
        PID:5268
        
        C:\Users\Admin\AppData\Local\Temp\4r2amwbm.mb5\Setup3310.exe
        
        C:\Users\Admin\AppData\Local\Temp\4r2amwbm.mb5\Setup3310.exe /Verysilent /subid=623
        15⤵
        
        PID:5884
        
        C:\Users\Admin\AppData\Local\Temp\is-ILC72.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-ILC72.tmp\Setup3310.tmp" /SL5="$3032C,138429,56832,C:\Users\Admin\AppData\Local\Temp\4r2amwbm.mb5\Setup3310.exe" /Verysilent /subid=623
        16⤵
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\is-FECM9.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-FECM9.tmp\Setup.exe" /Verysilent
        17⤵
        Drops file in Program Files directory
        
        PID:5848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lk1mcso2.42c\google-game.exe & exit
        14⤵
        
        PID:5776
        
        C:\Users\Admin\AppData\Local\Temp\lk1mcso2.42c\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\lk1mcso2.42c\google-game.exe
        15⤵
        Checks computer location settings
        
        PID:1248
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",shl
        16⤵
        Loads dropped DLL
        
        PID:1552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sxgtl1p2.4nv\005.exe & exit
        14⤵
        
        PID:6676
        
        C:\Users\Admin\AppData\Local\Temp\sxgtl1p2.4nv\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\sxgtl1p2.4nv\005.exe
        15⤵
        
        PID:4800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lzwck5u0.lgj\toolspab1.exe & exit
        14⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\lzwck5u0.lgj\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\lzwck5u0.lgj\toolspab1.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6080
        
        C:\Users\Admin\AppData\Local\Temp\lzwck5u0.lgj\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\lzwck5u0.lgj\toolspab1.exe
        16⤵
        
        PID:3564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vblbpzab.ccp\GcleanerWW.exe /mixone & exit
        14⤵
        
        PID:6876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cxrwwhgc.fzs\installer.exe /qn CAMPAIGN="654" & exit
        14⤵
        
        PID:5896
        
        C:\Users\Admin\AppData\Local\Temp\cxrwwhgc.fzs\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\cxrwwhgc.fzs\installer.exe /qn CAMPAIGN="654"
        15⤵
        
        PID:7164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rs3bhofq.mtv\702564a0.exe & exit
        14⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\rs3bhofq.mtv\702564a0.exe
        
        C:\Users\Admin\AppData\Local\Temp\rs3bhofq.mtv\702564a0.exe
        15⤵
        Executes dropped EXE
        
        PID:6232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6232 -s 484
        16⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        
        PID:4116
        
        C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe"
        10⤵
        Executes dropped EXE
        
        PID:1828
        
        C:\Users\Admin\AppData\Roaming\4514026.exe
        
        "C:\Users\Admin\AppData\Roaming\4514026.exe"
        11⤵
        Executes dropped EXE
        
        PID:6216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6216 -s 1608
        12⤵
        Drops file in Windows directory
        Program crash
        
        PID:5960
        
        C:\Users\Admin\AppData\Roaming\7218898.exe
        
        "C:\Users\Admin\AppData\Roaming\7218898.exe"
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:6336
        
        C:\ProgramData\Windows Host\Windows Host.exe
        
        "C:\ProgramData\Windows Host\Windows Host.exe"
        12⤵
        Executes dropped EXE
        
        PID:6888
        
        C:\Users\Admin\AppData\Roaming\2176286.exe
        
        "C:\Users\Admin\AppData\Roaming\2176286.exe"
        11⤵
        Executes dropped EXE
        
        PID:6448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6448 -s 704
        12⤵
        Program crash
        
        PID:4764
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cqujc0yk.lga\google-game.exe & exit
        6⤵
        
        PID:5340
        
        C:\Users\Admin\AppData\Local\Temp\cqujc0yk.lga\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\cqujc0yk.lga\google-game.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:5620
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",shl
        8⤵
        
        PID:5980
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fzqijsw4.dhn\005.exe & exit
        6⤵
        
        PID:5708
        
        C:\Users\Admin\AppData\Local\Temp\fzqijsw4.dhn\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\fzqijsw4.dhn\005.exe
        7⤵
        Executes dropped EXE
        
        PID:6120
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jtlozq3v.jpm\toolspab1.exe & exit
        6⤵
        
        PID:5292
        
        C:\Users\Admin\AppData\Local\Temp\jtlozq3v.jpm\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\jtlozq3v.jpm\toolspab1.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6984
        
        C:\Users\Admin\AppData\Local\Temp\jtlozq3v.jpm\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\jtlozq3v.jpm\toolspab1.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:2256
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nzetr3j1.dyh\GcleanerWW.exe /mixone & exit
        6⤵
        
        PID:6432
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1mjy0z2l.qej\installer.exe /qn CAMPAIGN="654" & exit
        6⤵
        
        PID:5452
        
        C:\Users\Admin\AppData\Local\Temp\1mjy0z2l.qej\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\1mjy0z2l.qej\installer.exe /qn CAMPAIGN="654"
        7⤵
        Loads dropped DLL
        Enumerates connected drives
        Suspicious use of FindShellTrayWindow
        
        PID:4124
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\1mjy0z2l.qej\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\1mjy0z2l.qej\ EXE_CMD_LINE="/forcecleanup /wintime 1622039167 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        8⤵
        
        PID:5096
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\js5j23mc.hsb\702564a0.exe & exit
        6⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\js5j23mc.hsb\702564a0.exe
        
        C:\Users\Admin\AppData\Local\Temp\js5j23mc.hsb\702564a0.exe
        7⤵
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:4376
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe" >> NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:4120
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  PID:3200
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe"
  2⤵
  - Executes dropped EXE
  PID:3808
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    PID:2032
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    PID:720
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    PID:4648
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    PID:1520

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:932
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:3780

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4724

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4780

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:724

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3924

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5080

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4328
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FB2DF5A20FF4F238A9F79DB416446818 C
  2⤵
  - Loads dropped DLL
  PID:5220
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 93BEBD5E9CFD04261D7F7610D0F6A09A
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:2260
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:6112
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 85FB1B3BD7332CD857B4635160096981 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:5980
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 450DA7E1345AD13BEB9B0B38A266D53A C
  2⤵
  - Loads dropped DLL
  PID:6516
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8B781314AEA901C8F982CCD07647E606
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:6172
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:4972
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 258B2C19F4208648AECF52DF3B45BA44 E Global\MSI0000
  2⤵
  PID:6524
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2302342BC1985B90250FEA1A181A948B C
  2⤵
  PID:6088
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 91D5A46843F80F51C47A6EFA7DFAC0FA
  2⤵
  - Blocklisted process makes network request
  PID:1960
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:5804
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Executes dropped EXE
      PID:5884
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 21E915DE4C466815B0C6D64B2AB1AF49 E Global\MSI0000
  2⤵
  PID:5844

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3004

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:6948

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:6140

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7060

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4964

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5816

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5540

C:\Users\Admin\AppData\Local\Temp\9C5B.exe
C:\Users\Admin\AppData\Local\Temp\9C5B.exe
1⤵
- Checks processor information in registry
PID:4992
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im 9C5B.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\9C5B.exe" & del C:\ProgramData\*.dll & exit
  2⤵
  PID:4508
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im 9C5B.exe /f
    3⤵
    - Kills process with taskkill
    PID:6588
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:5480

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Executes dropped EXE
PID:5436

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:5500

C:\Users\Admin\AppData\Local\Temp\F564.exe
C:\Users\Admin\AppData\Local\Temp\F564.exe
1⤵
PID:7104
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\F564.exe"
  2⤵
  PID:5324
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:1908

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7112

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5228

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3940

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5624

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7160

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3908

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5900

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6776

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5464

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4464

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6804

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6064

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:5336

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4852

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:7108

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6792

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5076

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6848

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:696

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5300

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5952

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6632
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 6632 -s 3088
  2⤵
  - Program crash
  PID:904

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5736

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4108
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4108 -s 2056
  2⤵
  - Program crash
  PID:4752

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5432

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:1068

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4020

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4656

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7344

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7644

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7884

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:8080

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2860

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6656
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 6656 -s 1232
  2⤵
  - Program crash
  PID:4716

C:\Users\Admin\AppData\Local\Temp\547F.exe
C:\Users\Admin\AppData\Local\Temp\547F.exe
1⤵
PID:7888
- C:\Users\Admin\AppData\Local\Temp\547F.exe
  "C:\Users\Admin\AppData\Local\Temp\547F.exe"
  2⤵
  PID:9680
- C:\Users\Admin\AppData\Local\Temp\547F.exe
  "C:\Users\Admin\AppData\Local\Temp\547F.exe"
  2⤵
  PID:9692
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 9692 -s 1500
    3⤵
    - Program crash
    PID:9764

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8400

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9700

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:11012

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:11100

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:11684

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:12132

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9712

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:11932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery