59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3CXDesktopApp = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\3CXDesktopApp\\3CXDesktopApp.exe\" autoLaunch"	msiexec.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
2	4364	msiexec.exe
4	4364	msiexec.exe
9	4364	msiexec.exe
15	4364	msiexec.exe
18	4364	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	3CXDesktopApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	3CXDesktopApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	3CXDesktopApp.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI8D63.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7DE0.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI783D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7D31.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI84E5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI86FA.tmp	msiexec.exe
File created	C:\Windows\Installer\e57768a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e577688.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7D10.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7D70.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7DA0.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{92CE9437-646B-4297-919D-BB30B377A477}	msiexec.exe
File created	C:\Windows\Installer\e577688.msi	msiexec.exe

Executes dropped EXE 9 IoCs

pid	Process
2172	3CXDesktopApp.exe
3660	3CXDesktopApp.exe
644	3CXDesktopApp.exe
1156	3CXDesktopApp.exe
4328	3CXDesktopApp.exe
1940	3CXDesktopApp.exe
1984	3CXDesktopApp.exe
4500	3CXDesktopApp.exe
1296	3CXDesktopApp.exe

Loads dropped DLL 23 IoCs

pid	Process
4764	MsiExec.exe
3644	MsiExec.exe
4764	MsiExec.exe
4764	MsiExec.exe
3644	MsiExec.exe
4764	MsiExec.exe
3644	MsiExec.exe
4764	MsiExec.exe
3660	3CXDesktopApp.exe
3660	3CXDesktopApp.exe
644	3CXDesktopApp.exe
1156	3CXDesktopApp.exe
3660	3CXDesktopApp.exe
1156	3CXDesktopApp.exe
1156	3CXDesktopApp.exe
1156	3CXDesktopApp.exe
1156	3CXDesktopApp.exe
4328	3CXDesktopApp.exe
1940	3CXDesktopApp.exe
1984	3CXDesktopApp.exe
4500	3CXDesktopApp.exe
1296	3CXDesktopApp.exe
1296	3CXDesktopApp.exe

Registers COM server for autorun 1 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{520AA812-396B-40DE-8ED1-0EDC70630DBE}\LocalServer32	3CXDesktopApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{520AA812-396B-40DE-8ED1-0EDC70630DBE}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\3CXDesktopApp\\app\\3CXDesktopApp.exe"	3CXDesktopApp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000048edd825328814480000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000048edd8250000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090048edd825000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d48edd825000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000048edd82500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies registry class 51 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\3CXDesktopApp.tel	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\3CXDesktopApp.callto\shell\open\command	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\3CXDesktopApp.tcx+app	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\3CXDesktopApp.tcx+app\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\3CXDesktopApp\\3CXDesktopApp.exe\" \"%1\""	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\tcx+nav\shell\open\command	3CXDesktopApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\tcx+nav\shell\open	3CXDesktopApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\3CXDesktopApp.callto\DefaultIcon	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\callto\shell\open	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\callto\ = "URL:callto Protocol"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{520AA812-396B-40DE-8ED1-0EDC70630DBE}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\3CXDesktopApp\\app\\3CXDesktopApp.exe"	3CXDesktopApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4204450073-1267028356-951339405-1000\{DE3DFC1E-0F51-410D-91B9-0AAC0E0C3F5F}	3CXDesktopApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\tcx+app\URL Protocol	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\tcx+app\DefaultIcon	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\callto	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\callto\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\3CXDesktopApp\\3CXDesktopApp.exe,1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\3CXDesktopApp.tel\shell\open	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\tcx+app\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\3CXDesktopApp\\3CXDesktopApp.exe,1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\tcx+nav	3CXDesktopApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\3CXDesktopApp.callto\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\3CXDesktopApp\\3CXDesktopApp.exe\" \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\tcx+nav\ = "URL:tcx+nav"	3CXDesktopApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\3CXDesktopApp.tel\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\3CXDesktopApp\\3CXDesktopApp.exe\" \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\tcx+app\ = "URL:tcx+app Protocol"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\tcx+app\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\callto\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\3CXDesktopApp\\3CXDesktopApp.exe\" \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\tcx+nav\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\3CXDesktopApp\\app\\3CXDesktopApp.exe\" \"%1\""	3CXDesktopApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\3CXDesktopApp.callto\shell	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\3CXDesktopApp.tcx+app\shell	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\3CXDesktopApp.tel\DefaultIcon	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\tcx+app\shell	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\callto\shell	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\tcx+nav\URL Protocol	3CXDesktopApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\tcx+nav\shell	3CXDesktopApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\3CXDesktopApp.tel\shell	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\3CXDesktopApp.callto	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\3CXDesktopApp.callto\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\3CXDesktopApp\\3CXDesktopApp.exe,1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\3CXDesktopApp.tcx+app\shell\open\command	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\3CXDesktopApp.tcx+app\shell\open	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\tcx+app\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\3CXDesktopApp\\3CXDesktopApp.exe\" \"%1\""	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\3CXDesktopApp.tel\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\callto\URL Protocol	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID	3CXDesktopApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{520AA812-396B-40DE-8ED1-0EDC70630DBE}	3CXDesktopApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\3CXDesktopApp.tcx+app\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\3CXDesktopApp\\3CXDesktopApp.exe,1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\callto\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\3CXDesktopApp.tel\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\3CXDesktopApp\\3CXDesktopApp.exe,1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\3CXDesktopApp.tcx+app\DefaultIcon	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{520AA812-396B-40DE-8ED1-0EDC70630DBE}\LocalServer32	3CXDesktopApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\tcx+app	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\tcx+app\shell\open	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\callto\DefaultIcon	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\3CXDesktopApp.callto\shell\open	msiexec.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

pid	Process
4748	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	3CXDesktopApp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	3CXDesktopApp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	3CXDesktopApp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4048	msiexec.exe
4048	msiexec.exe
1296	3CXDesktopApp.exe
1296	3CXDesktopApp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4364	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4364	msiexec.exe
Token: SeSecurityPrivilege	4048	msiexec.exe
Token: SeCreateTokenPrivilege	4364	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4364	msiexec.exe
Token: SeLockMemoryPrivilege	4364	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4364	msiexec.exe
Token: SeMachineAccountPrivilege	4364	msiexec.exe
Token: SeTcbPrivilege	4364	msiexec.exe
Token: SeSecurityPrivilege	4364	msiexec.exe
Token: SeTakeOwnershipPrivilege	4364	msiexec.exe
Token: SeLoadDriverPrivilege	4364	msiexec.exe
Token: SeSystemProfilePrivilege	4364	msiexec.exe
Token: SeSystemtimePrivilege	4364	msiexec.exe
Token: SeProfSingleProcessPrivilege	4364	msiexec.exe
Token: SeIncBasePriorityPrivilege	4364	msiexec.exe
Token: SeCreatePagefilePrivilege	4364	msiexec.exe
Token: SeCreatePermanentPrivilege	4364	msiexec.exe
Token: SeBackupPrivilege	4364	msiexec.exe
Token: SeRestorePrivilege	4364	msiexec.exe
Token: SeShutdownPrivilege	4364	msiexec.exe
Token: SeDebugPrivilege	4364	msiexec.exe
Token: SeAuditPrivilege	4364	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4364	msiexec.exe
Token: SeChangeNotifyPrivilege	4364	msiexec.exe
Token: SeRemoteShutdownPrivilege	4364	msiexec.exe
Token: SeUndockPrivilege	4364	msiexec.exe
Token: SeSyncAgentPrivilege	4364	msiexec.exe
Token: SeEnableDelegationPrivilege	4364	msiexec.exe
Token: SeManageVolumePrivilege	4364	msiexec.exe
Token: SeImpersonatePrivilege	4364	msiexec.exe
Token: SeCreateGlobalPrivilege	4364	msiexec.exe
Token: SeBackupPrivilege	2156	vssvc.exe
Token: SeRestorePrivilege	2156	vssvc.exe
Token: SeAuditPrivilege	2156	vssvc.exe
Token: SeBackupPrivilege	4048	msiexec.exe
Token: SeRestorePrivilege	4048	msiexec.exe
Token: SeRestorePrivilege	4048	msiexec.exe
Token: SeTakeOwnershipPrivilege	4048	msiexec.exe
Token: SeRestorePrivilege	4048	msiexec.exe
Token: SeTakeOwnershipPrivilege	4048	msiexec.exe
Token: SeBackupPrivilege	1148	srtasks.exe
Token: SeRestorePrivilege	1148	srtasks.exe
Token: SeSecurityPrivilege	1148	srtasks.exe
Token: SeTakeOwnershipPrivilege	1148	srtasks.exe
Token: SeBackupPrivilege	1148	srtasks.exe
Token: SeRestorePrivilege	1148	srtasks.exe
Token: SeSecurityPrivilege	1148	srtasks.exe
Token: SeTakeOwnershipPrivilege	1148	srtasks.exe
Token: SeRestorePrivilege	4048	msiexec.exe
Token: SeTakeOwnershipPrivilege	4048	msiexec.exe
Token: SeRestorePrivilege	4048	msiexec.exe
Token: SeTakeOwnershipPrivilege	4048	msiexec.exe
Token: SeRestorePrivilege	4048	msiexec.exe
Token: SeTakeOwnershipPrivilege	4048	msiexec.exe
Token: SeRestorePrivilege	4048	msiexec.exe
Token: SeTakeOwnershipPrivilege	4048	msiexec.exe
Token: SeRestorePrivilege	4048	msiexec.exe
Token: SeTakeOwnershipPrivilege	4048	msiexec.exe
Token: SeRestorePrivilege	4048	msiexec.exe
Token: SeTakeOwnershipPrivilege	4048	msiexec.exe
Token: SeRestorePrivilege	4048	msiexec.exe
Token: SeTakeOwnershipPrivilege	4048	msiexec.exe
Token: SeRestorePrivilege	4048	msiexec.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
4364	msiexec.exe
4364	msiexec.exe
3660	3CXDesktopApp.exe
3660	3CXDesktopApp.exe
3660	3CXDesktopApp.exe
3660	3CXDesktopApp.exe
3660	3CXDesktopApp.exe
3660	3CXDesktopApp.exe
3660	3CXDesktopApp.exe
3660	3CXDesktopApp.exe
3660	3CXDesktopApp.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
3660	3CXDesktopApp.exe
3660	3CXDesktopApp.exe
3660	3CXDesktopApp.exe
3660	3CXDesktopApp.exe
3660	3CXDesktopApp.exe
3660	3CXDesktopApp.exe
3660	3CXDesktopApp.exe
3660	3CXDesktopApp.exe
3660	3CXDesktopApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 1148	4048	msiexec.exe	89
PID 4048 wrote to memory of 1148	4048	msiexec.exe	89
PID 4048 wrote to memory of 4764	4048	msiexec.exe	91
PID 4048 wrote to memory of 4764	4048	msiexec.exe	91
PID 4048 wrote to memory of 4764	4048	msiexec.exe	91
PID 4048 wrote to memory of 3644	4048	msiexec.exe	92
PID 4048 wrote to memory of 3644	4048	msiexec.exe	92
PID 4764 wrote to memory of 2172	4764	MsiExec.exe	104
PID 4764 wrote to memory of 2172	4764	MsiExec.exe	104
PID 4764 wrote to memory of 2172	4764	MsiExec.exe	104
PID 2172 wrote to memory of 3660	2172	3CXDesktopApp.exe	95
PID 2172 wrote to memory of 3660	2172	3CXDesktopApp.exe	95
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 1156	3660	3CXDesktopApp.exe	96
PID 3660 wrote to memory of 644	3660	3CXDesktopApp.exe	97
PID 3660 wrote to memory of 644	3660	3CXDesktopApp.exe	97
PID 3660 wrote to memory of 4748	3660	3CXDesktopApp.exe	98
PID 3660 wrote to memory of 4748	3660	3CXDesktopApp.exe	98
PID 3660 wrote to memory of 4328	3660	3CXDesktopApp.exe	100
PID 3660 wrote to memory of 4328	3660	3CXDesktopApp.exe	100
PID 3660 wrote to memory of 4328	3660	3CXDesktopApp.exe	100
PID 3660 wrote to memory of 4328	3660	3CXDesktopApp.exe	100
PID 3660 wrote to memory of 4328	3660	3CXDesktopApp.exe	100
PID 3660 wrote to memory of 4328	3660	3CXDesktopApp.exe	100
PID 3660 wrote to memory of 4328	3660	3CXDesktopApp.exe	100
PID 3660 wrote to memory of 4328	3660	3CXDesktopApp.exe	100
PID 3660 wrote to memory of 4328	3660	3CXDesktopApp.exe	100
PID 3660 wrote to memory of 4328	3660	3CXDesktopApp.exe	100

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3CXDesktopApp-18.12.416.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4364

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E86A400E9EB9A27C6495ED7908CD15A4
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Users\Admin\AppData\Local\Programs\3CXDesktopApp\3CXDesktopApp.exe
    "C:\Users\Admin\AppData\Local\Programs\3CXDesktopApp\3CXDesktopApp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Users\Admin\AppData\Local\Programs\3CXDesktopApp\app\3CXDesktopApp.exe
      "C:\Users\Admin\AppData\Local\Programs\3CXDesktopApp\app\3CXDesktopApp.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      Modifies system certificate store
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3660
    - - C:\Users\Admin\AppData\Local\Programs\3CXDesktopApp\app\3CXDesktopApp.exe
        
        "C:\Users\Admin\AppData\Local\Programs\3CXDesktopApp\app\3CXDesktopApp.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\3CXDesktopApp" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1740,i,18071824292075145032,232871855404077538,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1156
    - - C:\Users\Admin\AppData\Local\Programs\3CXDesktopApp\app\3CXDesktopApp.exe
        
        "C:\Users\Admin\AppData\Local\Programs\3CXDesktopApp\app\3CXDesktopApp.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --ignore-certificate-errors=true --ignore-certificate-errors=true --user-data-dir="C:\Users\Admin\AppData\Roaming\3CXDesktopApp" --standard-schemes=voipc --enable-sandbox --secure-schemes=voipc --bypasscsp-schemes --cors-schemes=voipc --fetch-schemes=voipc --service-worker-schemes=voipc --streaming-schemes --mojo-platform-channel-handle=1912 --field-trial-handle=1740,i,18071824292075145032,232871855404077538,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:644
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v 3CXDeskTopApp
        5⤵
        Modifies registry key
        
        PID:4748
    - - C:\Users\Admin\AppData\Local\Programs\3CXDesktopApp\app\3CXDesktopApp.exe
        
        "C:\Users\Admin\AppData\Local\Programs\3CXDesktopApp\app\3CXDesktopApp.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\3CXDesktopApp" --standard-schemes=voipc --enable-sandbox --secure-schemes=voipc --bypasscsp-schemes --cors-schemes=voipc --fetch-schemes=voipc --service-worker-schemes=voipc --streaming-schemes --app-user-model-id=9071E5B59CCA4D120EC8D975AF3F02AB --app-path="C:\Users\Admin\AppData\Local\Programs\3CXDesktopApp\app\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=3032 --field-trial-handle=1740,i,18071824292075145032,232871855404077538,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4328
    - - C:\Users\Admin\AppData\Local\Programs\3CXDesktopApp\app\3CXDesktopApp.exe
        
        "C:\Users\Admin\AppData\Local\Programs\3CXDesktopApp\app\3CXDesktopApp.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\3CXDesktopApp" --standard-schemes=voipc --enable-sandbox --secure-schemes=voipc --bypasscsp-schemes --cors-schemes=voipc --fetch-schemes=voipc --service-worker-schemes=voipc --streaming-schemes --app-user-model-id=9071E5B59CCA4D120EC8D975AF3F02AB --app-path="C:\Users\Admin\AppData\Local\Programs\3CXDesktopApp\app\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3512 --field-trial-handle=1740,i,18071824292075145032,232871855404077538,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1940
    - - C:\Users\Admin\AppData\Local\Programs\3CXDesktopApp\app\3CXDesktopApp.exe
        
        "C:\Users\Admin\AppData\Local\Programs\3CXDesktopApp\app\3CXDesktopApp.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --ignore-certificate-errors=true --ignore-certificate-errors=true --user-data-dir="C:\Users\Admin\AppData\Roaming\3CXDesktopApp" --standard-schemes=voipc --enable-sandbox --secure-schemes=voipc --bypasscsp-schemes --cors-schemes=voipc --fetch-schemes=voipc --service-worker-schemes=voipc --streaming-schemes --mojo-platform-channel-handle=3628 --field-trial-handle=1740,i,18071824292075145032,232871855404077538,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1984
    - - C:\Users\Admin\AppData\Local\Programs\3CXDesktopApp\app\3CXDesktopApp.exe
        
        "C:\Users\Admin\AppData\Local\Programs\3CXDesktopApp\app\3CXDesktopApp.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --ignore-certificate-errors=true --ignore-certificate-errors=true --user-data-dir="C:\Users\Admin\AppData\Roaming\3CXDesktopApp" --standard-schemes=voipc --enable-sandbox --secure-schemes=voipc --bypasscsp-schemes --cors-schemes=voipc --fetch-schemes=voipc --service-worker-schemes=voipc --streaming-schemes --mojo-platform-channel-handle=3700 --field-trial-handle=1740,i,18071824292075145032,232871855404077538,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4500
    - - C:\Users\Admin\AppData\Local\Programs\3CXDesktopApp\app\3CXDesktopApp.exe
        
        "C:\Users\Admin\AppData\Local\Programs\3CXDesktopApp\app\3CXDesktopApp.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\3CXDesktopApp" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3064 --field-trial-handle=1740,i,18071824292075145032,232871855404077538,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1296
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding A9D909A3CEEEA331D0BA17E30A353FE3
  2⤵
  - Loads dropped DLL
  PID:3644

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f0 0x344
1⤵
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery