8e5deeda104e2d39c40cd5251f598c640e03f49a1fde55a16e2a999208f0d48a

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	vs.exe

Loads dropped DLL 59 IoCs

pid	Process
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
2284	AsepriteTool.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
4204	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\6EA26FFDFC3C3CADAF6C = "\"C:\\Program Files (x86)\\Microsoft Visual Studio\\Installer\\setup.exe\" resume --installPath \"C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\" --runOnce --installSessionId 10152e79-f30c-4e10-a59a-3fc23bd1b4ce"	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\wbem\AutoRecover\4E9BED298E4A2447DA493DE14F1E57F4.mof	mofcomp.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\it\Microsoft.Build.Tasks.Core.resources.dll	setup.exe
File created	C:\Program Files\Microsoft Visual Studio\2022\Community\VB\Snippets\1033\os\EventLog\ReadEntriesCreatedbyaParticularApplicationfromtheEventlog.snippet	setup.exe
File created	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VC\SecurityIssueAnalysis\python\lib\site-packages\numpy\core\tests\data\umath-validation-set-log.csv	setup.exe
File created	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VC\SecurityIssueAnalysis\python\lib\site-packages\setuptools\_distutils\command\__pycache__\build_clib.cpython-39.pyc	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VC\SecurityIssueAnalysis\python\lib\site-packages\win32\test\test_win32pipe.py	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\ServiceHub\Services\VsixServiceDiscovery\zh-Hans\Microsoft.ServiceHub.Analyzers.resources.dll	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VBCSharp\LanguageServices\zh-Hant\Microsoft.CodeAnalysis.Features.resources.dll	setup.exe
File created	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VC\SecurityIssueAnalysis\python\lib\site-packages\pandas\tests\io\excel\__init__.py	setup.exe
File created	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VC\SecurityIssueAnalysis\python\lib\site-packages\pytz\zoneinfo\Africa\Cairo	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VC\SecurityIssueAnalysis\python\lib\site-packages\pytz\zoneinfo\Africa\Mbabane	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\rh2bolzs.jqq\fr\Microsoft.TeamFoundation.Common.resources.dll	setup.exe
File created	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VBCSharp\LanguageServices\Core\cs\Microsoft.VisualStudio.LanguageServer.Protocol.Internal.resources.dll	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VC\SecurityIssueAnalysis\python\lib\site-packages\numpy\core\tests\test_nditer.py	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VC\SecurityIssueAnalysis\python\lib\site-packages\pytz\zoneinfo\America\Phoenix	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Platform\Guide\Content\Images\ASPNET\Locals3.png	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\en\Microsoft.VisualStudio.ImageCatalog.resources.dll	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\rh2bolzs.jqq\zh-Hant\Microsoft.TeamFoundation.Common.resources.dll	setup.exe
File created	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VBCSharp\LanguageServices\cs\Microsoft.CodeAnalysis.EditorFeatures.Wpf.resources.dll	setup.exe
File created	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\NuGet\es\Microsoft.Web.XmlTransform.resources.dll	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\ja-JP\VisualBasic.xaml	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VC\SecurityIssueAnalysis\python\lib\site-packages\azure\core\utils\_pipeline_transport_rest_shared.py	setup.exe
File created	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VC\SecurityIssueAnalysis\python\lib\site-packages\pandas\tests\indexes\ranges\test_setops.py	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\Microsoft\Web Tools Shared\Configs\assets\images\images.json	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\Microsoft\DebuggerServices\es\Microsoft.VisualStudio.Debugger.BrokeredServices.resources.dll	setup.exe
File created	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\ServiceHub\controller\Microsoft.Win32.Registry.dll	setup.exe
File created	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TeamFoundation\Team Explorer\Git\mingw64\share\git-core\templates\hooks\applypatch-msg.sample	setup.exe
File created	C:\Program Files\Microsoft Visual Studio\2022\Community\dotnet\runtime\shared\Microsoft.WindowsDesktop.App\6.0.12\ko\PresentationUI.resources.dll	setup.exe
File created	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VC\SecurityIssueAnalysis\python\lib\site-packages\numpy\random\_philox.pyi	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\devenv.visualelementsmanifest.xml	setup.exe
File created	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\devenv.winprf	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\ServiceHub\Hosts\ServiceHub.Host.Dotnet.x64\coreClr.RoslynCodeAnalysisService.servicehub.host.json	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\dotnet\runtime\shared\Microsoft.WindowsDesktop.App\6.0.12\fr\WindowsBase.resources.dll	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VC\SecurityIssueAnalysis\python\lib\site-packages\cffi\api.py	setup.exe
File created	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TeamFoundation\Team Explorer\Git\mingw64\bin\Microsoft.Web.WebView2.Wpf.dll	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TeamFoundation\Team Explorer\cs\Microsoft.VisualStudio.Services.WebApi.resources.dll	setup.exe
File created	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TeamFoundation\Team Explorer\Git\mingw64\share\git-core\templates\hooks\post-update.sample	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\amd64\MSBuildTaskHost.exe.config	setup.exe
File created	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\PublicAssemblies\Microsoft.Bcl.HashCode.dll	setup.exe
File created	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VC\SecurityIssueAnalysis\python\PoirotClientScripts.cat	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VBCSharp\LanguageServices\Microsoft.CodeAnalysis.ExternalAccess.Debugger.dll	setup.exe
File created	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.TextManager.Interop.10.0.dll	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\NuGet\pl\NuGet.Packaging.resources.dll	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\VC\vcpackages\x86\concrt140.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\amd64\KernelTraceControl.dll	vs_setup_bootstrapper.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VC\SecurityIssueAnalysis\python\lib\site-packages\pandas\tests\io\formats\style\test_align.py	setup.exe
File created	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Remote Debugger\Appx\AppxDebug.dll	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VC\SecurityIssueAnalysis\python\lib\site-packages\cffi\ffiplatform.py	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VC\SecurityIssueAnalysis\python\lib\site-packages\numpy\core\tests\test_longdouble.py	setup.exe
File created	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VC\SecurityIssueAnalysis\python\lib\site-packages\pkg_resources\_vendor\__init__.py	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VC\SecurityIssueAnalysis\python\lib\site-packages\setuptools\command\__pycache__\build_py.cpython-39.pyc	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\Microsoft\VsGraphics\TemplateDefaults\defaultfile.dgsl	setup.exe
File created	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VC\SecurityIssueAnalysis\python\lib\site-packages\pandas\core\reshape\__pycache__\api.cpython-39.pyc	setup.exe
File created	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\Microsoft\VsGraphics\Assets\Scripts\copy.js	setup.exe
File created	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TeamFoundation\Team Explorer\fr\Microsoft.TeamFoundation.TestImpact.BuildIntegration.resources.dll	setup.exe
File created	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VC\SecurityIssueAnalysis\python\lib\site-packages\numpy\distutils\checks\extra_avx512dq_mask.c	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VC\SecurityIssueAnalysis\python\lib\site-packages\pandas\tests\frame\methods\__pycache__\test_nlargest.cpython-39.pyc	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VC\SecurityIssueAnalysis\python\lib\site-packages\setuptools\_distutils\command\__pycache__\upload.cpython-39.pyc	setup.exe
File created	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Remote Debugger\x64\Microsoft.VisualStudio.vil.host.dll	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\ailyv0bf.qzo\zh-Hans\Microsoft.VisualStudio.Navigation.RichCodeNav.resources.dll	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TeamFoundation\Team Explorer\Git\mingw64\share\licenses\pcre2\COPYING	setup.exe
File created	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VC\SecurityIssueAnalysis\python\lib\site-packages\numpy\f2py\tests\src\parameter\constant_real.f90	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VC\SecurityIssueAnalysis\python\lib\site-packages\numpy\typing\tests\data\reveal\ctypeslib.pyi	setup.exe
File opened for modification	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Platform\Debugger\WebViews\snapshotGlyph.png	setup.exe
File created	C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VBCSharp\LanguageServices\it\Microsoft.CodeAnalysis.Workspaces.resources.dll	setup.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e5ae178.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6AA3DE9F-ADDE-463B-8F29-27DD247C5282}	msiexec.exe
File created	C:\Windows\Installer\SourceHash{56373DD6-9A8E-4C0C-95F6-F64DF2054A6F}	msiexec.exe
File created	C:\Windows\Installer\e5ae180.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5ae184.msi	msiexec.exe
File created	C:\Windows\Installer\e5ae187.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB7C0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5ae168.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7FAA.tmp	msiexec.exe
File created	C:\Windows\Installer\e5ae188.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{49559293-3192-40D3-864C-5AB88E744A79}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE532.tmp	msiexec.exe
File created	C:\Windows\Installer\e5ae17b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5ae18c.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	Microsoft.Build.UnGAC.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	ngen.exe
File created	C:\Windows\Installer\e5ae16c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5ae17c.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{721FAF11-41E2-45DB-949A-7E3E510A0EF0}	msiexec.exe
File opened for modification	C:\Windows\Installer\e5ae180.msi	msiexec.exe
File created	C:\Windows\Installer\e5ae184.msi	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	ngen.exe
File opened for modification	C:\Windows\Installer\e5ae16c.msi	msiexec.exe
File created	C:\Windows\Installer\e5ae174.msi	msiexec.exe
File created	C:\Windows\Installer\e5ae177.msi	msiexec.exe
File created	C:\Windows\Installer\e5ae18b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5ae190.msi	msiexec.exe
File created	C:\Windows\Installer\e5ae16b.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{ACBBFCA9-A48A-425A-BF50-B6FB8EFE7934}	msiexec.exe
File created	C:\Windows\Installer\e5ae173.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5ae178.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{1AB2F81F-A360-4BE1-B68F-B50F0609A1AE}	msiexec.exe
File opened for modification	C:\Windows\Installer\e5ae188.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C8EA234A-FC2F-4EEC-BF7F-DB14C28C84D2}	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B1CFE19E-298A-4D14-BACD-CAA36AC4895B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEC96.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5ae174.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7150.tmp	msiexec.exe
File created	C:\Windows\Installer\e5ae183.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7661.tmp	msiexec.exe
File created	C:\Windows\Installer\e5ae190.msi	msiexec.exe
File created	C:\Windows\Installer\e5ae168.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\e5ae18f.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{85516DED-4402-44CD-9D01-1D1F3D0C0178}	msiexec.exe
File created	C:\Windows\Installer\e5ae170.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5ae170.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3EE4.tmp	msiexec.exe
File created	C:\Windows\Installer\e5ae18c.msi	msiexec.exe
File created	C:\Windows\Installer\e5ae16f.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C32CB038-8A83-4860-853F-9168214E3536}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8EFE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7176.tmp	msiexec.exe
File created	C:\Windows\Fonts\CascadiaMono.ttf	msiexec.exe
File created	C:\Windows\Installer\e5ae193.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\Fonts\CascadiaCode.ttf	msiexec.exe
File created	C:\Windows\Installer\SourceHash{12B0A225-610B-43DA-8585-E2EAD563D611}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE2FF.tmp	msiexec.exe
File created	C:\Windows\Installer\e5ae17c.msi	msiexec.exe
File created	C:\Windows\Installer\e5ae17f.msi	msiexec.exe

Detects Pyinstaller 3 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0006000000022e1e-133.dat	pyinstaller
behavioral1/files/0x0006000000022e1e-134.dat	pyinstaller
behavioral1/files/0x0006000000022e1e-136.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 13 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vs_setup_bootstrapper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vs_setup_bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	vs_setup_bootstrapper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MofCompiler.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MofCompiler.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MofCompiler.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SQMClient\UserId = "{6B65F05F-6F0C-47ED-B866-2142289BB874}"	MofCompiler.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\VisualStudio\Telemetry\PersistentPropertyBag\mac.address = "s:be24f21dbcc7fab312d641446bbb6071cb9be3fb8e12ca57ffb31a195b133246"	MofCompiler.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\21	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	MofCompiler.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\VisualStudio\Telemetry\PersistentPropertyBag	MofCompiler.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\VisualStudio\Telemetry\PersistentPropertyBag\mofcompiler\VS.TelemetryApi.ChannelsDisposeLatency = "74"	MofCompiler.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\VisualStudio\Telemetry\PersistentPropertyBag\mofcompiler\VS.TelemetryApi.DroppedEventsDuringDisposing = "0"	MofCompiler.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\VisualStudio\Telemetry	MofCompiler.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\20	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\VisualStudio\Telemetry\PersistentPropertyBag\mofcompiler	MofCompiler.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\25	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	MofCompiler.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	MofCompiler.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\VisualStudio	MofCompiler.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\24	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	MofCompiler.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SQMClient	MofCompiler.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	MofCompiler.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	MofCompiler.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\VisualStudio\Telemetry\VS.Core.Machine.VirtualMachineType = "0"	MofCompiler.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\VisualStudio\Telemetry\PersistentPropertyBag\mofcompiler\VS.TelemetryApi.TotalDisposeLatency = "515"	MofCompiler.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\21	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28\52C64B7E	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AE27B230-A0BF-47FF-A2D1-22C29A178EAC}\ = "IDebugMachineEx2_V7"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEE9B76E-CFE3-11D1-B747-00C04FC2B085}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2E34EAE-8B9D-11D2-9014-00C04FA38338}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VisualStudio.Launcher._vbxsln100\NoOpen	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF032216-2C7F-4682-84C1-76EF432D840B}\ = "IDebugPointerObject2"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FB8D2032-2858-414C-83D9-F732664E0C7A}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\VisualStudio.Launcher._sln70	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\522A0B21B016AD3458582EAE5D366D11\PackageCode = "48540715A1F324146BF55F8B793EB58B"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VisualStudio.Launcher.vcproj.4a60cdb3	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.asm\Content Type = "text/plain"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CA07D9CA-5A07-4182-80FF-D0938F884F7D}\NumMethods\ = "6"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9E2BD568-7CEE-4166-ABC9-495BA8D3054A}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5637291-D779-4580-A82C-0D523E7FDCF0}\NumMethods\ = "5"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VisualStudio.bmp.4a60cdb3\shell\Open\ddeexec\Topic	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{51973C20-CB0C-11D0-B5C9-00A0244A0E7A}\ProxyStubClsid32\ = "{C5621364-87CC-4731-8947-929CAE75323E}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{304AD878-EB66-4F20-AC1E-011A98F65968}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B5B20820-E233-11D2-9037-00C04FA302A1}\NumMethods\ = "14"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2AEE80EF-1BE2-4D87-9511-C935A0957044}\ProxyStubClsid32\ = "{C5621364-87CC-4731-8947-929CAE75323E}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D04D550D-1EA8-4E37-830E-700FEA447688}\ = "ProgramPublisher"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VisualStudio.map.4a60cdb3\shell\Open\Command\ = "\"C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Common7\\IDE\\devenv.exe\" /dde"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VisualStudio.Launcher.vcproj.4a60cdb3\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A96ABCCC-C55B-44E4-8977-CD815EA33A58}\ProxyStubClsid32\ = "{C5621364-87CC-4731-8947-929CAE75323E}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C2E34EB1-8B9D-11D2-9014-00C04FA38338}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Microsoft.VisualStudio.Setup.Configuration.1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VisualStudio.hlsl.4a60cdb3\shell\Open\Command	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VisualStudio.hlsli.4a60cdb3\shell\Open\ddeexec\Topic	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VisualStudio.inl.4a60cdb3\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C7C1462F-9736-466C-B2C1-B6B2DEDBF4A7}\ProxyStubClsid32\ = "{C5621364-87CC-4731-8947-929CAE75323E}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C980E8E2-5DD3-4310-868F-59AF24A92327}\ = "IMachineDebugManagerCookieEx"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VisualStudio.rgs.4a60cdb3\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{037EDD0F-8551-4F7F-8CA0-04D9E29F532D}\NumMethods\ = "4"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B90282FC-2D44-4050-A7B2-BF3BCFF8BAF1}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF032216-2C7F-4682-84C1-76EF432D840B}\NumMethods\ = "14"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C43CC2F3-90AF-4E93-9112-DFB8B36749B5}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VisualStudio.Launcher.sln\TileInfo = "prop:Type;DocComments;Size"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VisualStudio.mfcribbon-ms.4a60cdb3\AlwaysShowExt = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30E6C90E-757E-48CF-8DB8-20B061AFBBAE}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{51973C03-CB0C-11D0-B5C9-00A0244A0E7A}\NumMethods\ = "5"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93A28A93-52B8-41C9-B1E3-6B5FDF5252AC}\ = "IDebugScriptLEDocument"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8D36BEB8-9BFE-47DD-A11B-7BA1DE18E449}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CFA8B871-B933-48D9-B677-E986BCCF2B7C}\ = "IDebugCOMPlusEnvoy"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VisualStudio.cpp.4a60cdb3\shell\Open\ddeexec\Topic	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58F36C3D-7D07-4EBA-A041-62F63E188037}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C077C833-476C-11D2-B73C-0000F87572EF}\ProxyStubClsid32\ = "{C5621364-87CC-4731-8947-929CAE75323E}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VisualStudio.Launcher._vcppxsln90\DefaultIcon\ = "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\MSEnv\\VSFileHandler_64.dll,-214"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{51973C18-CB0C-11D0-B5C9-00A0244A0E7A}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CBB63A8D-BD57-11D2-9238-00A02448799A}\NumMethods\ = "4"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VisualStudio.Launcher._vcppxsln90\NoOpen	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VisualStudio.vb.4a60cdb3	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VisualStudio.xdr.4a60cdb3\shell\Open\Command	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{53F68191-7B2F-4F14-8E55-40B1B6E5DF66}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C16E7DB2-286B-402F-94BF-00DD7CAD2B91}\NumMethods\ = "10"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4B0645AA-08EF-4CB9-ADB9-0395D6EDAD35}\ProxyStubClsid32\ = "{C5621364-87CC-4731-8947-929CAE75323E}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{51973C2A-CB0C-11D0-B5C9-00A0244A0E7A}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{96643D32-2624-479A-9F1A-25D02030DD3B}\ = "IDebugPendingBreakpoint3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{51973C02-CB0C-11D0-B5C9-00A0244A0E7A}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1CFF0050-6FDD-11D0-9328-00A0C90DCAA9}\ProxyStubClsid32\ = "{C5621364-87CC-4731-8947-929CAE75323E}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA105B52-12F1-4038-AE64-D95785874C47}\ = "IDebugEngine2"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3929559429133D0468C4A58BE847A497\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{51973C01-CB0C-11D0-B5C9-00A0244A0E7A}\ProxyStubClsid32\ = "{C5621364-87CC-4731-8947-929CAE75323E}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5C18A5FE-7150-4E66-8246-27BFB0E7BFD9}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C077C833-476C-11D2-B73C-0000F87572EF}\ = "IDebugBinder"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D0785FAA-91D7-4CA2-A302-6555487719F7}\ = "IDebugPortSupplierDescription2"	msiexec.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8BFE3107712B3C886B1C96AAEC89984914DC9B6B	setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8BFE3107712B3C886B1C96AAEC89984914DC9B6B\Blob = 0300000001000000140000008bfe3107712b3c886b1c96aaec89984914dc9b6b140000000100000014000000e6fc5f7bbb220058e4724eb5f421742332e6efac040000000100000010000000b7a7b4605e33389f48b33d17cae730060f0000000100000020000000121af4b922a74247ea49df50de37609cc1451a1fe06b2cb7e1e079b492bd819519000000010000001000000016fc4494124fb22d1dd143d205bdc30d5c0000000100000004000000000800001800000001000000100000003c70faea25600ce3b2cc5f0b222ed6292000000001000000740600003082067030820458a003020102020a610c524c000000000003300d06092a864886f70d01010b0500308188310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e31323030060355040313294d6963726f736f667420526f6f7420436572746966696361746520417574686f726974792032303130301e170d3130303730363230343031375a170d3235303730363230353031375a307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f667420436f6465205369676e696e6720504341203230313030820122300d06092a864886f70d01010105000382010f003082010a0282010100e90e64507967b5c4e3fd09004c9e94acf75668ea44d8cfc5584fa9a5767c6d45bad33992b4a41ef9f96582e417d28ffd449c08e86593ce2c5584bf7d08e32e2ba8412b18b7a24b6e494c6b1507ded1d2c2891e7194cdb57f4bb4af08d8cc88d66b17943a93ce263fece6fe349857d51d5d49f6b22a2ed585bb593ff890b42b8374ca2bb33b46e3f04649c1176654c91cbd1dc455625772f867b9252034de5da6a5955eab2880cdd5b29ee503b563d3b214c8c1c88a260a597f07ecff0eed8012354c12a6be525bf5a6dae08b0b4877d68547d510b9c6e8aaee8b6a2d055c60c6b42a5b9c231c5f45e31a141e6f37cb1933806a894da36a66637893d530cf951f0203010001a38201e3308201df301006092b06010401823715010403020100301d0603551d0e04160414e6fc5f7bbb220058e4724eb5f421742332e6efac301906092b0601040182371402040c1e0a00530075006200430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301f0603551d23041830168014d5f656cb8fe8a25c6268d13d94905bd7ce9a18c430560603551d1f044f304d304ba049a0478645687474703a2f2f63726c2e6d6963726f736f66742e636f6d2f706b692f63726c2f70726f64756374732f4d6963526f6f4365724175745f323031302d30362d32332e63726c305a06082b06010505070101044e304c304a06082b06010505073002863e687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b692f63657274732f4d6963526f6f4365724175745f323031302d30362d32332e63727430819d0603551d2004819530819230818f06092b0601040182372e03308181303d06082b060105050702011631687474703a2f2f7777772e6d6963726f736f66742e636f6d2f504b492f646f63732f4350532f64656661756c742e68746d304006082b0601050507020230341e32201d004c006500670061006c005f0050006f006c006900630079005f00530074006100740065006d0065006e0074002e201d300d06092a864886f70d01010b050003820201001a74ef574f297bc4168578b850d322fc099dac8297f834ff2a2c979512e5e4bfcfbf93c8e334a9db81b8dc1e00bed2356fafe57f799577e502d4f1ebd8cd4e1e1b61a2c25a231af08ca86251456708e33f3c1e93f8308517c83940a6d70eb32129e5a5a1698c2293cc7498e7a14743f253acc00f30697ffed225206d6f61d3df07d5d972002c6986763d51dba63948c937616d07dd5319cba7d661c2bfe283ab0fe06b9b95d67d2851b0894a51a49a6cc8b71f4a1a0e69a9d7dcc17ed14970aab6adbb72476317faa6d6a2a686eca810449b63b6b2698906c746867a183fe8c51d21d57bf902232dc541cbbf1d4cc816efb19c7ffc224b498a6e15e3a67f765bd1537991859dd5d2db3d7335f33cae54b252476ac0aa1395d28e11da99675e328cfb3785d1dc75859c87c65a5785c2bfdd0d8f8c9b2debb4eecf27d3b55e69faa4160401a7246773cf4d4fb6de0556977af7e9524df477054f85c6d80bf18eed4209d10d76e3235678222636becab18c6eaa1de485da4733628fa4c991335f711e40af9865c922e84221258a1c2d60d9378941892a160fd7613c94686052efd64799a08040ee1581773e9ce053181a501d38959b1e663313273917788736ce4ec35fb2f53d4753b6e0e5db0b613d2ad7922cce375a3e404231a41f1008c2569cbf245d51029d6a79d217d3dac1948e077b257144ab066ae6d4c6df239a9675c5	setup.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\AsepriteTool\AsepriteTool.lnk	AsepriteToolInstaller.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1872	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
3964	vs_setup_bootstrapper.exe
4032	setup.exe
3316	setup.exe
3316	setup.exe
3316	setup.exe
3316	setup.exe
3316	setup.exe
3316	setup.exe
3316	setup.exe
3316	setup.exe
3316	setup.exe
3316	setup.exe
3316	setup.exe
1612	msiexec.exe
1612	msiexec.exe
4808	taskmgr.exe
4808	taskmgr.exe
1612	msiexec.exe
1612	msiexec.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
952	MofCompiler.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1804	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1804	msiexec.exe
Token: SeSecurityPrivilege	1612	msiexec.exe
Token: SeCreateTokenPrivilege	1804	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1804	msiexec.exe
Token: SeLockMemoryPrivilege	1804	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1804	msiexec.exe
Token: SeMachineAccountPrivilege	1804	msiexec.exe
Token: SeTcbPrivilege	1804	msiexec.exe
Token: SeSecurityPrivilege	1804	msiexec.exe
Token: SeTakeOwnershipPrivilege	1804	msiexec.exe
Token: SeLoadDriverPrivilege	1804	msiexec.exe
Token: SeSystemProfilePrivilege	1804	msiexec.exe
Token: SeSystemtimePrivilege	1804	msiexec.exe
Token: SeProfSingleProcessPrivilege	1804	msiexec.exe
Token: SeIncBasePriorityPrivilege	1804	msiexec.exe
Token: SeCreatePagefilePrivilege	1804	msiexec.exe
Token: SeCreatePermanentPrivilege	1804	msiexec.exe
Token: SeBackupPrivilege	1804	msiexec.exe
Token: SeRestorePrivilege	1804	msiexec.exe
Token: SeShutdownPrivilege	1804	msiexec.exe
Token: SeDebugPrivilege	1804	msiexec.exe
Token: SeAuditPrivilege	1804	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1804	msiexec.exe
Token: SeChangeNotifyPrivilege	1804	msiexec.exe
Token: SeRemoteShutdownPrivilege	1804	msiexec.exe
Token: SeUndockPrivilege	1804	msiexec.exe
Token: SeSyncAgentPrivilege	1804	msiexec.exe
Token: SeEnableDelegationPrivilege	1804	msiexec.exe
Token: SeManageVolumePrivilege	1804	msiexec.exe
Token: SeImpersonatePrivilege	1804	msiexec.exe
Token: SeCreateGlobalPrivilege	1804	msiexec.exe
Token: SeDebugPrivilege	3964	vs_setup_bootstrapper.exe
Token: SeDebugPrivilege	4032	setup.exe
Token: SeDebugPrivilege	3316	setup.exe
Token: SeDebugPrivilege	5040	VSInitializer.exe
Token: SeShutdownPrivilege	3316	setup.exe
Token: SeIncreaseQuotaPrivilege	3316	setup.exe
Token: SeCreateTokenPrivilege	3316	setup.exe
Token: SeAssignPrimaryTokenPrivilege	3316	setup.exe
Token: SeLockMemoryPrivilege	3316	setup.exe
Token: SeIncreaseQuotaPrivilege	3316	setup.exe
Token: SeMachineAccountPrivilege	3316	setup.exe
Token: SeTcbPrivilege	3316	setup.exe
Token: SeSecurityPrivilege	3316	setup.exe
Token: SeTakeOwnershipPrivilege	3316	setup.exe
Token: SeLoadDriverPrivilege	3316	setup.exe
Token: SeSystemProfilePrivilege	3316	setup.exe
Token: SeSystemtimePrivilege	3316	setup.exe
Token: SeProfSingleProcessPrivilege	3316	setup.exe
Token: SeIncBasePriorityPrivilege	3316	setup.exe
Token: SeCreatePagefilePrivilege	3316	setup.exe
Token: SeCreatePermanentPrivilege	3316	setup.exe
Token: SeBackupPrivilege	3316	setup.exe
Token: SeRestorePrivilege	3316	setup.exe
Token: SeShutdownPrivilege	3316	setup.exe
Token: SeDebugPrivilege	3316	setup.exe
Token: SeAuditPrivilege	3316	setup.exe
Token: SeSystemEnvironmentPrivilege	3316	setup.exe
Token: SeChangeNotifyPrivilege	3316	setup.exe
Token: SeRemoteShutdownPrivilege	3316	setup.exe
Token: SeUndockPrivilege	3316	setup.exe
Token: SeSyncAgentPrivilege	3316	setup.exe
Token: SeEnableDelegationPrivilege	3316	setup.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1644	AsepriteToolInstaller.exe
1804	msiexec.exe
1804	msiexec.exe
4032	setup.exe
4032	setup.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 1188	1644	AsepriteToolInstaller.exe	87
PID 1644 wrote to memory of 1188	1644	AsepriteToolInstaller.exe	87
PID 1188 wrote to memory of 2284	1188	AsepriteTool.exe	89
PID 1188 wrote to memory of 2284	1188	AsepriteTool.exe	89
PID 2284 wrote to memory of 1132	2284	AsepriteTool.exe	91
PID 2284 wrote to memory of 1132	2284	AsepriteTool.exe	91
PID 1132 wrote to memory of 1804	1132	cmd.exe	92
PID 1132 wrote to memory of 1804	1132	cmd.exe	92
PID 2284 wrote to memory of 4320	2284	AsepriteTool.exe	95
PID 2284 wrote to memory of 4320	2284	AsepriteTool.exe	95
PID 4320 wrote to memory of 852	4320	cmd.exe	96
PID 4320 wrote to memory of 852	4320	cmd.exe	96
PID 4320 wrote to memory of 852	4320	cmd.exe	96
PID 852 wrote to memory of 3964	852	vs.exe	97
PID 852 wrote to memory of 3964	852	vs.exe	97
PID 852 wrote to memory of 3964	852	vs.exe	97
PID 3964 wrote to memory of 5032	3964	vs_setup_bootstrapper.exe	98
PID 3964 wrote to memory of 5032	3964	vs_setup_bootstrapper.exe	98
PID 3964 wrote to memory of 5032	3964	vs_setup_bootstrapper.exe	98
PID 3964 wrote to memory of 4032	3964	vs_setup_bootstrapper.exe	103
PID 3964 wrote to memory of 4032	3964	vs_setup_bootstrapper.exe	103
PID 4032 wrote to memory of 3748	4032	setup.exe	104
PID 4032 wrote to memory of 3748	4032	setup.exe	104
PID 4032 wrote to memory of 3316	4032	setup.exe	107
PID 4032 wrote to memory of 3316	4032	setup.exe	107
PID 3316 wrote to memory of 2000	3316	setup.exe	108
PID 3316 wrote to memory of 2000	3316	setup.exe	108
PID 3316 wrote to memory of 2000	3316	setup.exe	108
PID 3316 wrote to memory of 2600	3316	setup.exe	110
PID 3316 wrote to memory of 2600	3316	setup.exe	110
PID 3316 wrote to memory of 5040	3316	setup.exe	112
PID 3316 wrote to memory of 5040	3316	setup.exe	112
PID 1612 wrote to memory of 4204	1612	msiexec.exe	113
PID 1612 wrote to memory of 4204	1612	msiexec.exe	113
PID 1612 wrote to memory of 4204	1612	msiexec.exe	113
PID 1612 wrote to memory of 952	1612	msiexec.exe	115
PID 1612 wrote to memory of 952	1612	msiexec.exe	115
PID 952 wrote to memory of 2964	952	MofCompiler.exe	116
PID 952 wrote to memory of 2964	952	MofCompiler.exe	116
PID 952 wrote to memory of 2436	952	MofCompiler.exe	118
PID 952 wrote to memory of 2436	952	MofCompiler.exe	118
PID 3316 wrote to memory of 3372	3316	setup.exe	143
PID 3316 wrote to memory of 3372	3316	setup.exe	143

C:\Users\Admin\AppData\Local\Temp\AsepriteToolInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\AsepriteToolInstaller.exe"
1⤵
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Program Files (x86)\AsepriteTool\AsepriteTool.exe
  "C:\Program Files (x86)\AsepriteTool\AsepriteTool.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Program Files (x86)\AsepriteTool\AsepriteTool.exe
    "C:\Program Files (x86)\AsepriteTool\AsepriteTool.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cmake.msi
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:1132
    - - C:\Windows\System32\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Program Files (x86)\AsepriteTool\cmake.msi"
        5⤵
        Blocklisted process makes network request
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:1804
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c vs.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4320
    - - C:\Program Files (x86)\AsepriteTool\vs.exe
        
        vs.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:852
      - C:\Users\Admin\AppData\Local\Temp\3594b52f3911b86e082efeb9c2dc\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3594b52f3911b86e082efeb9c2dc\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:C:\Program Files (x86)\AsepriteTool\vs.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Program Files (x86)\AsepriteTool"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\getmac.exe
        
        "getmac"
        7⤵
        
        PID:5032
        
        C:\Program Files (x86)\Microsoft Visual Studio\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio\Installer\setup.exe" /finalizeInstall install --in "C:\ProgramData\Microsoft\VisualStudio\Packages\_bootstrapper\vs_setup_bootstrapper_202301050423181977.json" --locale en-US --activityId "dc890543-aba6-4e5d-8f00-815e437caa4a" --pipe "5c1faa5c-b89d-4ce4-8791-f3e8cbd3b186"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installer.windows.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installer.windows.exe" /finalizeinstall 6F320B93-EE3C-4826-85E0-ADF79F8D4C61 "Visual Studio Installer" "Microsoft Visual Studio Installer" 3.4.2246.31370 0 "C:\Program Files (x86)\Microsoft Visual Studio\Installer\setup.exe"
        8⤵
        Executes dropped EXE
        
        PID:3748
        
        C:\Program Files (x86)\Microsoft Visual Studio\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio\Installer\setup.exe" elevate --activityId dc890543-aba6-4e5d-8f00-815e437caa4a --locale en-US --pid 4032 --pipeName 99123b7c1dc846b7bf2ff31b2b49da17 --pipeSecret c8b389446d3140049a55dc76063d5a9d --serializedSession "{\"IsOptedIn\":true,\"HostName\":\"Default\",\"AppInsightsInstrumentationKey\":\"f144292e-e3b2-4011-ac90-20e5c03fbce5\",\"AsimovInstrumentationKey\":\"AIF-312cbd79-9dbb-4c48-a7da-3cc2a931cb70\",\"AppId\":1000,\"UserId\":\"07a2a331-ba4e-4b8f-8714-e7661e100da1\",\"Id\":\"85d0e8cc-8eba-457b-8dda-28161a05eef0\",\"ProcessStartTime\":638084894182841148,\"SkuName\":null,\"VSExeVersion\":null,\"BucketFiltersToEnableWatsonForFaults\":[{\"AdditionalProperties\":[],\"Id\":\"a02930d9-c607-41c3-8698-0fd9196735a5\",\"WatsonEventType\":\"VisualStudioNonFatalErrors2\",\"BucketParameterFilters\":[null,null,\"(?i)vs\\.setup.*\",null,null,null,null,null,null,null]},{\"AdditionalProperties\":[],\"Id\":\"64a13603-6d89-42e4-a299-13f77e5ad306\",\"WatsonEventType\":\"VisualStudioNonFatalErrors2\",\"BucketParameterFilters\":[null,null,\"(?i)vs\\.willow.*\",null,null,null,null,null,null,null]}],\"BucketFiltersToAddDumpsToFaults\":[]}"
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Modifies registry class
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" queue pause
        9⤵
        Drops file in Windows directory
        
        PID:2000
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" queue pause
        9⤵
        Drops file in Windows directory
        
        PID:2600
        
        C:\ProgramData\Microsoft\VisualStudio\Packages\Microsoft.VisualStudio.Initializer,version=17.4.33006.217\VSInitializer.exe
        
        "C:\ProgramData\Microsoft\VisualStudio\Packages\Microsoft.VisualStudio.Initializer,version=17.4.33006.217\VSInitializer.exe" -Operation Install -InstallationID 4a60cdb3 -InstallationName VisualStudio/17.4.3+33205.214 -InstallationVersion 17.4.33205.214 -InstallationWorkloads Microsoft.VisualStudio.Workload.CoreEditor,Microsoft.VisualStudio.Workload.NativeDesktop -InstallationPackages Microsoft.VisualStudio.Component.CoreEditor,Microsoft.VisualStudio.Component.TypeScript.TSServer,Microsoft.VisualStudio.ComponentGroup.WebToolsExtensions,Microsoft.VisualStudio.Component.JavaScript.TypeScript,Microsoft.VisualStudio.Component.Roslyn.Compiler,Microsoft.Component.MSBuild,Microsoft.VisualStudio.Component.Roslyn.LanguageServices,Microsoft.VisualStudio.Component.TextTemplating,Microsoft.VisualStudio.Component.NuGet,Microsoft.VisualStudio.Component.Debugger.JustInTime,Component.Microsoft.VisualStudio.LiveShare.2022,Microsoft.VisualStudio.Component.IntelliCode,Microsoft.VisualStudio.Component.VC.CoreIde,Microsoft.VisualStudio.Component.VC.Tools.x86.x64,Microsoft.VisualStudio.Component.Graphics.Tools,Microsoft.VisualStudio.Component.VC.DiagnosticTools,Microsoft.VisualStudio.Component.Windows11SDK.22000,Microsoft.VisualStudio.Component.VC.ATL,Microsoft.VisualStudio.Component.VC.Redist.14.Latest,Microsoft.VisualStudio.ComponentGroup.NativeDesktop.Core,Microsoft.VisualStudio.ComponentGroup.WebToolsExtensions.CMake,Microsoft.VisualStudio.Component.VC.CMake.Project,Microsoft.VisualStudio.Component.VC.TestAdapterForBoostTest,Microsoft.VisualStudio.Component.VC.TestAdapterForGoogleTest,Microsoft.VisualStudio.Component.VC.ASAN -InstallationPath """C:\Program Files\Microsoft Visual Studio\2022\Community""" -ComponentId Microsoft.VisualStudio.Product.Community -ChannelsPath """https://aka.ms/vs/17/release/channel""" -SetupEngineFilePath """C:\Program Files (x86)\Microsoft Visual Studio\Installer\setup.exe""" -Log """C:\Users\Admin\AppData\Local\Temp\dd_setup_20230105042646_010_Microsoft.VisualStudio.Initializer.log"""
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5040
        
        C:\ProgramData\Microsoft\VisualStudio\Packages\Microsoft.Build.UnGAC,version=17.4.1.2260106,chip=neutral,language=neutral\Microsoft.Build.UnGAC.exe
        
        "C:\ProgramData\Microsoft\VisualStudio\Packages\Microsoft.Build.UnGAC,version=17.4.1.2260106,chip=neutral,language=neutral\Microsoft.Build.UnGAC.exe"
        9⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3372

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 91B65C0EADCDE5686FA6586B6AED0DA4
  2⤵
  - Loads dropped DLL
  PID:4204
- C:\ProgramData\Microsoft\VisualStudio\SetupWMI\MofCompiler.exe
  "C:\ProgramData\Microsoft\VisualStudio\SetupWMI\MofCompiler.exe" -autorecover "C:\ProgramData\Microsoft\VisualStudio\SetupWMI\Microsoft.VisualStudio.Setup.Management.mof"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\SYSTEM32\getmac.exe
    "getmac"
    3⤵
    PID:2964
- - C:\Windows\system32\wbem\mofcomp.exe
    "C:\Windows\system32\wbem\mofcomp" -autorecover C:\ProgramData\Microsoft\VisualStudio\SetupWMI\Microsoft.VisualStudio.Setup.Management.mof
    3⤵
    - Drops file in System32 directory
    PID:2436

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4808

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" SYSTEM
1⤵
PID:4436

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:4060

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
PID:1872

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery