cobaltstrike | hxxps://among-us[.]en[.]softonic[.]com/

System Information Discovery

Processes:

rsEDRSvc.exersEngineSvc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rsEngineSvc.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

rsVPNSvc.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Control Panel\International\Geo\Nation rsVPNSvc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Control Panel\International\Geo\Nation	rsVPNSvc.exe

Drops startup file 2 IoCs

Processes:

WannaCry.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD31AD.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD31B4.tmp	WannaCry.EXE

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

Processes:

MEmu-setup-abroad-02bf66ec.exersStubActivator.exekrtk0b1r.exeUnifiedStub-installer.exersSyncSvc.exersSyncSvc.exersWSC.exersWSC.exeSetup.exe7za.exe7za.exe7za.exeMEmuDrvInst.exeMEmuManage.exeMEmuSVC.exeMEmuSVC.exeMEmuSVC.exeMEmuSVC.exeMemuService.exeMEmuManage.exeMEmuSVC.exeMEmuRepair.exeMEmuManage.exeMEmuManage.exeMEmuc.exeMEmuConsole.exeMEmuSVC.exeMEmu.exeMEmuSVC.exeMEmuManage.exeMEmuManage.exescreenrecord.exeMEmu.exeMEmuRepair.exersWSC.exersWSC.exersWSC.exetaskdl.exe@[email protected]@[email protected]taskhsvc.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]rsWSC.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exersWSC.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]

pid	process
7072	MEmu-setup-abroad-02bf66ec.exe
2932	rsStubActivator.exe
424	krtk0b1r.exe
6532	UnifiedStub-installer.exe
4704	rsSyncSvc.exe
6844	rsSyncSvc.exe
4380	rsWSC.exe
5392	rsWSC.exe
8064	Setup.exe
1076	7za.exe
6240	7za.exe
7268	7za.exe
5868	MEmuDrvInst.exe
7804	MEmuManage.exe
7744	MEmuSVC.exe
5544	MEmuSVC.exe
2372	MEmuSVC.exe
2724	MEmuSVC.exe
4964	MemuService.exe
7784	MEmuManage.exe
7440	MEmuSVC.exe
1296	MEmuRepair.exe
4132	MEmuManage.exe
7628	MEmuManage.exe
7480	MEmuc.exe
5816	MEmuConsole.exe
1172	MEmuSVC.exe
8128	MEmu.exe
1516	MEmuSVC.exe
3264	MEmuManage.exe
6516	MEmuManage.exe
1476	screenrecord.exe
948	MEmu.exe
3964	MEmuRepair.exe
6016	rsWSC.exe
6168	rsWSC.exe
8040	rsWSC.exe
7944	taskdl.exe
4524	@[email protected]
7420	@[email protected]
748	taskhsvc.exe
4704	@[email protected]
1632	taskdl.exe
7480	taskse.exe
5040	@[email protected]
6792	taskdl.exe
6820	taskse.exe
428	@[email protected]
8044	taskdl.exe
6728	taskse.exe
6312	@[email protected]
7088	rsWSC.exe
420	taskse.exe
3152	@[email protected]
2416	taskdl.exe
4460	taskse.exe
3192	@[email protected]
3224	taskdl.exe
7664	rsWSC.exe
8076	taskse.exe
4996	@[email protected]
720	taskdl.exe
3032	taskse.exe
7444	@[email protected]

Loads dropped DLL 64 IoCs

Processes:

MEmu-setup-abroad-02bf66ec.exeUnifiedStub-installer.exe7za.exe7za.exe7za.exeMEmuDrvInst.exeMEmuManage.exeMEmuSVC.exeMEmuSVC.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeMEmuSVC.exe

pid	process
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
6532	UnifiedStub-installer.exe
6532	UnifiedStub-installer.exe
1076	7za.exe
6240	7za.exe
7268	7za.exe
5868	MEmuDrvInst.exe
7804	MEmuManage.exe
7804	MEmuManage.exe
7804	MEmuManage.exe
7804	MEmuManage.exe
7804	MEmuManage.exe
7804	MEmuManage.exe
7804	MEmuManage.exe
7804	MEmuManage.exe
7804	MEmuManage.exe
7804	MEmuManage.exe
7804	MEmuManage.exe
7804	MEmuManage.exe
7804	MEmuManage.exe
7744	MEmuSVC.exe
7744	MEmuSVC.exe
7744	MEmuSVC.exe
7744	MEmuSVC.exe
7744	MEmuSVC.exe
7744	MEmuSVC.exe
7744	MEmuSVC.exe
7744	MEmuSVC.exe
7744	MEmuSVC.exe
7744	MEmuSVC.exe
7744	MEmuSVC.exe
7744	MEmuSVC.exe
5544	MEmuSVC.exe
5544	MEmuSVC.exe
5544	MEmuSVC.exe
5544	MEmuSVC.exe
5544	MEmuSVC.exe
5544	MEmuSVC.exe
5544	MEmuSVC.exe
5544	MEmuSVC.exe
7184	regsvr32.exe
7352	regsvr32.exe
7352	regsvr32.exe
7352	regsvr32.exe
7352	regsvr32.exe
7352	regsvr32.exe
7352	regsvr32.exe
7352	regsvr32.exe
7352	regsvr32.exe
7352	regsvr32.exe
4880	regsvr32.exe
436	regsvr32.exe
436	regsvr32.exe
436	regsvr32.exe
436	regsvr32.exe
436	regsvr32.exe
436	regsvr32.exe
436	regsvr32.exe
436	regsvr32.exe
436	regsvr32.exe
2372	MEmuSVC.exe
2372	MEmuSVC.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

5204 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
5204	icacls.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

rundll32.exereg.exerundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jfzplzsiyhdjbb859 = "\"C:\\Users\\Admin\\Downloads\\WannaCry-main\\WannaCry-main\\tasksche.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1518.001

Processes:

MEmu-setup-abroad-02bf66ec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	MEmu-setup-abroad-02bf66ec.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	MEmu-setup-abroad-02bf66ec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

rsEDRSvc.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rsEDRSvc.exe
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

rsEngineSvc.exersEDRSvc.exe

description ioc process

File opened (read-only) \??\F: rsEngineSvc.exe
File opened (read-only) \??\F: rsEDRSvc.exe
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

1217 camo.githubusercontent.com
1237 camo.githubusercontent.com
Modifies powershell logging option 1 TTPs
evasion

Modify Registry
T1112
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

MEmu.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 MEmu.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rsEDRSvc.exe

description	ioc	process
File opened (read-only)	\??\F:	rsEngineSvc.exe
File opened (read-only)	\??\F:	rsEDRSvc.exe

flow	ioc
1217	camo.githubusercontent.com
1237	camo.githubusercontent.com

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	MEmu.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\ProgramData\ReasonLabs\EPP\SignaturesYFS.dat.tmp	autoit_exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

rsEDRSvc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	rsEDRSvc.exe

Drops file in System32 directory 58 IoCs

Processes:

rsEDRSvc.exersVPNSvc.exersEngineSvc.exersWSC.exeMEmuDrvInst.exechrome.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BB	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\rsVPNSvc\WireGuard\log.bin	rsVPNSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_466BAFE78D4077069B6C3828315C7C8D	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FA0E447C3E79584EC91182C66BBD2DB7	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\439F613B3D55693954E1B080DE3085B4_C4927E03400A4F6EDB9D613E6354F864	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\48B35517638A85CA46010B026C2B955A_735A98D70471F3F6240371211712CB5C	rsEngineSvc.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rsWSC.exe.log	rsWSC.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94D97B1EC1F43DD6ED4FE7AB95E144BC_8439ABBFAB1BE4FA5D9C6CE8C264BCF3	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_ACC1A26A3F5A815A00C8D5589432921F	rsEDRSvc.exe
File created	C:\Windows\system32\DRVSTORE\MEmuDrv_4C26FE707B8538A984DDA52017FA77FDC0515737\MEmuDrv.cat	MEmuDrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FA0E447C3E79584EC91182C66BBD2DB7	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\439F613B3D55693954E1B080DE3085B4_C4927E03400A4F6EDB9D613E6354F864	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\DRVSTORE\MEmuDrv_4C26FE707B8538A984DDA52017FA77FDC0515737\MEmuDrv.inf	MEmuDrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_466BAFE78D4077069B6C3828315C7C8D	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\86844F70250DD8EF225D6B4178798C21_1FB605FD2412C4F94AD934D8134A28AC	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BD96F9183ADE69B6DF458457F594566C_48BDF541C9BF1B2BAD41358CD874DC4B	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_1FB605FD2412C4F94AD934D8134A28AC	rsEngineSvc.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\86844F70250DD8EF225D6B4178798C21_44AD5D0C299F1D4EE038B125B5E5863A	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A76F24BEACC5A31C76BB70908923C3E0	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94D97B1EC1F43DD6ED4FE7AB95E144BC_8439ABBFAB1BE4FA5D9C6CE8C264BCF3	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\206932163209AD483A44477E28192474	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_E3A0B2E345AA9F5A174687564C886046	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\DRVSTORE	MEmuDrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_96B11076AA4494A4A6143129F61AEC8B	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\117308CCCD9C93758827D7CC85BB135E	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\117308CCCD9C93758827D7CC85BB135E	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0E663C78920A8217B4CBE3D45E3E6236_75C1BD04B8F3DBF3882A89F51074A729	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\74FBF93595CFC8459196065CE54AD928	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D11549FC90445E1CE90F96A21958A17_EC4B03A84E582F11EFD1DC6D27A523EE	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D11549FC90445E1CE90F96A21958A17_EC4B03A84E582F11EFD1DC6D27A523EE	rsEngineSvc.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_44AD5D0C299F1D4EE038B125B5E5863A	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\206932163209AD483A44477E28192474	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_E3A0B2E345AA9F5A174687564C886046	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BD96F9183ADE69B6DF458457F594566C_48BDF541C9BF1B2BAD41358CD874DC4B	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A76F24BEACC5A31C76BB70908923C3E0	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0E663C78920A8217B4CBE3D45E3E6236_75C1BD04B8F3DBF3882A89F51074A729	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\74FBF93595CFC8459196065CE54AD928	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_96B11076AA4494A4A6143129F61AEC8B	rsEDRSvc.exe
File created	C:\Windows\system32\DRVSTORE\MEmuDrv_4C26FE707B8538A984DDA52017FA77FDC0515737\MEmuDrv.sys	MEmuDrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3E3E9689537B6B136ECF210088069D55_EF6C9357BB54DDB629FD2D79F1594F95	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691	rsEngineSvc.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MEmuDrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	rsEDRSvc.exe
File created	C:\Windows\system32\DRVSTORE\MEmuDrv_4C26FE707B8538A984DDA52017FA77FDC0515737\MEmuDrv.inf	MEmuDrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BB	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\86844F70250DD8EF225D6B4178798C21_ACC1A26A3F5A815A00C8D5589432921F	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3E3E9689537B6B136ECF210088069D55_EF6C9357BB54DDB629FD2D79F1594F95	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\48B35517638A85CA46010B026C2B955A_735A98D70471F3F6240371211712CB5C	rsEngineSvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

Processes:

WannaCry.EXE@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Program Files directory 64 IoCs

Processes:

MEmu-setup-abroad-02bf66ec.exe7za.exeUnifiedStub-installer.exe7za.exersVPNSvc.exe7za.exe

description	ioc	process
File opened for modification	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.Ll7072	MEmu-setup-abroad-02bf66ec.exe
File created	C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\id.pak	7za.exe
File created	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.ZP7072	MEmu-setup-abroad-02bf66ec.exe
File created	C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	UnifiedStub-installer.exe
File created	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.QN7072	MEmu-setup-abroad-02bf66ec.exe
File created	C:\Program Files\ReasonLabs\EPP\rsBuild.Runtime.dll	UnifiedStub-installer.exe
File opened for modification	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.Vq7072	MEmu-setup-abroad-02bf66ec.exe
File created	C:\Program Files\ReasonLabs\DNS\System.Text.Encoding.Extensions.dll	UnifiedStub-installer.exe
File opened for modification	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.FN7072	MEmu-setup-abroad-02bf66ec.exe
File created	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.Fn7072	MEmu-setup-abroad-02bf66ec.exe
File created	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.Dk7072	MEmu-setup-abroad-02bf66ec.exe
File opened for modification	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.nB7072	MEmu-setup-abroad-02bf66ec.exe
File created	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.Ji7072	MEmu-setup-abroad-02bf66ec.exe
File created	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.kQ7072	MEmu-setup-abroad-02bf66ec.exe
File created	C:\Program Files\ReasonLabs\EPP\rsLogger.dll	UnifiedStub-installer.exe
File opened for modification	C:\Program Files\Microvirt\MEmuHyperv\drv\MEmuDrv.sys	7za.exe
File opened for modification	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.fM7072	MEmu-setup-abroad-02bf66ec.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ms.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Linq.Expressions.dll	UnifiedStub-installer.exe
File created	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.pc7072	MEmu-setup-abroad-02bf66ec.exe
File created	C:\Program Files\Microvirt\MEmu\Qt5Core.dll	7za.exe
File opened for modification	C:\Program Files\ReasonLabs\VPN\rsVPNSvc.InstallLog	rsVPNSvc.exe
File opened for modification	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.gj7072	MEmu-setup-abroad-02bf66ec.exe
File opened for modification	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.UD7072	MEmu-setup-abroad-02bf66ec.exe
File opened for modification	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.El7072	MEmu-setup-abroad-02bf66ec.exe
File opened for modification	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.LV7072	MEmu-setup-abroad-02bf66ec.exe
File opened for modification	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.oQ7072	MEmu-setup-abroad-02bf66ec.exe
File opened for modification	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.vd7072	MEmu-setup-abroad-02bf66ec.exe
File created	C:\Program Files\ReasonLabs\VPN\System.Security.Cryptography.Encoding.dll	UnifiedStub-installer.exe
File created	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.sa7072	MEmu-setup-abroad-02bf66ec.exe
File created	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.pq7072	MEmu-setup-abroad-02bf66ec.exe
File created	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.uC7072	MEmu-setup-abroad-02bf66ec.exe
File opened for modification	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.xK7072	MEmu-setup-abroad-02bf66ec.exe
File opened for modification	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.jj7072	MEmu-setup-abroad-02bf66ec.exe
File created	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.zH7072	MEmu-setup-abroad-02bf66ec.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Csp.dll	UnifiedStub-installer.exe
File created	C:\Program Files\Microvirt\MEmuHyperv\x86\libcrypto-1_1.dll	7za.exe
File created	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.Ts7072	MEmu-setup-abroad-02bf66ec.exe
File created	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.Os7072	MEmu-setup-abroad-02bf66ec.exe
File created	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.eL7072	MEmu-setup-abroad-02bf66ec.exe
File opened for modification	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.vy7072	MEmu-setup-abroad-02bf66ec.exe
File created	C:\Program Files\ReasonLabs\DNS\System.IO.FileSystem.DriveInfo.dll	UnifiedStub-installer.exe
File opened for modification	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.pm7072	MEmu-setup-abroad-02bf66ec.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Xml.XmlDocument.dll	UnifiedStub-installer.exe
File opened for modification	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.JD7072	MEmu-setup-abroad-02bf66ec.exe
File created	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.bG7072	MEmu-setup-abroad-02bf66ec.exe
File created	C:\Program Files\ReasonLabs\EPP\rsHelper.exe.config	UnifiedStub-installer.exe
File opened for modification	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.zV7072	MEmu-setup-abroad-02bf66ec.exe
File opened for modification	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.Jb7072	MEmu-setup-abroad-02bf66ec.exe
File created	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.Ah7072	MEmu-setup-abroad-02bf66ec.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Reflection.dll	UnifiedStub-installer.exe
File created	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.it7072	MEmu-setup-abroad-02bf66ec.exe
File opened for modification	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.Op7072	MEmu-setup-abroad-02bf66ec.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\te.pak	UnifiedStub-installer.exe
File opened for modification	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.TH7072	MEmu-setup-abroad-02bf66ec.exe
File opened for modification	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.Rc7072	MEmu-setup-abroad-02bf66ec.exe
File opened for modification	C:\Program Files\Microvirt\MEmu\translations\qt_sk.qm	7za.exe
File opened for modification	C:\Program Files\Microvirt\MEmu\d3dcompiler_47.dll	7za.exe
File opened for modification	C:\Program Files\Microvirt\MEmuHyperv\x86\MEmuProxyStub.dll	7za.exe
File created	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.zr7072	MEmu-setup-abroad-02bf66ec.exe
File created	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.fl7072	MEmu-setup-abroad-02bf66ec.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.TextWriterTraceListener.dll	UnifiedStub-installer.exe
File opened for modification	C:\Program Files\Microvirt\MEmu\adbdrv\32\android_winusb.inf	7za.exe
File created	C:\Program Files\ReasonLabs\VPN\rsEngine.Utilities.Browsers.dll	UnifiedStub-installer.exe

Drops file in Windows directory 4 IoCs

Processes:

chrome.exersAppUI.exersAppUI.exersAppUI.exe

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	rsAppUI.exe
File opened for modification	C:\Windows\SystemTemp	rsAppUI.exe
File opened for modification	C:\Windows\SystemTemp	rsAppUI.exe

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
5376	sc.exe
3376	sc.exe
1320	sc.exe
920	sc.exe
5996	sc.exe
2596	sc.exe
3044	sc.exe
7808	sc.exe
5624	sc.exe
7572	sc.exe
2816	sc.exe
7584	sc.exe
7472	sc.exe
7648	sc.exe
576	sc.exe
5636	sc.exe
7396	sc.exe
8092	sc.exe
5884	sc.exe
7816	sc.exe
6384	sc.exe
856	sc.exe
7620	sc.exe
7484	sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
defense_evasion

SIP and Trust Provider Hijacking
T1553.003

Processes:

chrome.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\MEmu-setup-abroad-02bf66ec.exe:Zone.Identifier chrome.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4832 7072 WerFault.exe MEmu-setup-abroad-02bf66ec.exe
3132 7072 WerFault.exe MEmu-setup-abroad-02bf66ec.exe

pid	pid_target	process	target process
4832	7072	WerFault.exe	MEmu-setup-abroad-02bf66ec.exe
3132	7072	WerFault.exe	MEmu-setup-abroad-02bf66ec.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

sc.exescreenrecord.execmd.exetaskdl.exe@[email protected]sc.exesc.exetaskdl.exeattrib.exe@[email protected]taskdl.exe@[email protected]MEmu-setup-abroad-02bf66ec.exesc.exetaskdl.exetaskdl.exetaskdl.exetaskdl.exe@[email protected]sc.exeWannaCry.EXEWMIC.exe@[email protected]@[email protected]taskse.exetaskdl.exetaskse.exetaskdl.exetaskse.exe@[email protected]@[email protected]taskdl.exetaskse.exetaskse.exesc.execmd.exetaskdl.exetaskdl.exetaskdl.exe@[email protected]taskdl.exe@[email protected]regsvr32.exeMEmu.exetaskdl.exe@[email protected]sc.exe@[email protected]sc.exetaskse.exetaskse.exe@[email protected]@[email protected]cmd.exetaskdl.exe@[email protected]taskdl.exeSetup.exesc.exesc.exesc.exeexplorer.exeicacls.exetaskse.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	screenrecord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEmu-setup-abroad-02bf66ec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEmu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

rsEDRSvc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\Control	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\Control	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	rsEDRSvc.exe

Checks processor information in registry 2 TTPs 28 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

runonce.exeSetup.exersEDRSvc.exeMEmu-setup-abroad-02bf66ec.exerunonce.exeMEmuConsole.exeMEmu.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MEmu-setup-abroad-02bf66ec.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rsEDRSvc.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\Hardware\Description\System\CentralProcessor	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MEmuConsole.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MEmu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MEmuConsole.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MEmu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	MEmu-setup-abroad-02bf66ec.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rsEDRSvc.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rsEDRSvc.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

Processes:

msedge.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

rsEDRSvc.exersEngineSvc.exersDNSSvc.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rsEngineSvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico\OpenWithList	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rsEngineSvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	rsEngineSvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rsDNSSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rsEngineSvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	rsEngineSvc.exe

Modifies registry class 64 IoCs

Processes:

MEmuSVC.exeregsvr32.exeMEmuManage.exeOpenWith.exeMEmuManage.exeregsvr32.exeregsvr32.exeMEmuSVC.exeMEmuSVC.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{806DA61B-6679-422A-B629-51B06B0C6D9A}\TypeLib	MEmuSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2405F0E5-6588-40A3-9B0A-68C05BA52C4A}\ = "IGuestProcessEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD3E2654-A161-41F1-B583-4892F4A9D5DA}\TypeLib\ = "{d7569351-1750-46f0-936e-bd127d5bc26a}"	MEmuSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{715212BF-DA59-426E-8230-3831FAA52C5A}\ProxyStubClsid32	MEmuManage.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32	MEmuManage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{883DD18B-0721-4CDE-867C-1A82ABAF914A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{269D8F6B-FA1E-4CEE-91C7-6D8496BEA3CA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{714A3EEF-799A-4489-86CD-FE8E45B2FF8A}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{269D8F6B-FA1E-4CEE-91C7-6D8496BEA3CA}\ = "INATNetworkStartStopEvent"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{aeccc0a8-e0a0-427f-b946-c42063f54d8a}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92F21DC0-44DE-1653-B717-2EBF0CA9B66A}\ = "IGuestFile"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DB3A9E6-7F29-4AAE-A627-5A282C83092A}\ProxyStubClsid32	MEmuSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48C7F4C0-C9D6-4742-957C-A6FD52E8C4AA}\NumMethods	MEmuManage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{cac21692-7997-4595-a731-3a509db604ea}	MEmuManage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10f337fb-422e-e57e-661b-0998ac30917a}	MEmuManage.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53fac49a-b7f1-4a5a-a4ef-a11dd9c2a45a}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C1CDB6BF-44CB-E334-66FA-469A17FD09DA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{81314D14-FD1C-411A-95C5-E9BB1414E63A}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3BA329DC-659C-488B-835C-4ECA7AE71C6A}\ProxyStubClsid32	MEmuSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1d89e2b3-c6ea-45b6-9d43-dc6f70cc9f0a}\TypeLib	MEmuManage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{14c66b23-404c-f24a-3cc1-ee9501d44f21}\NumMethods\ = "34"	MEmuManage.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92f21dc0-44de-1653-b717-2ebf0ca9b66a}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{88394258-7006-40D4-B339-472EE380184A}\TypeLib	MEmuManage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F73650F4-4506-50CA-045A-23A0E32EA50A}\ProxyStubClsid32	MEmuSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{232e9151-ae84-4b8e-b0f3-5c20c35caaca}	MEmuSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4c7f4bf6-4671-2f75-0fbb-a99f6218cdfa}\ProxyStubClsid32	MEmuManage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B82295F-415F-1AA1-17FD-9FBBAC8EDF4A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77FAF1C0-489D-B123-274C-5A95E77AB28A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9b6e1aee-35f3-4f4d-b5bb-ed0ecefd853a}	MEmuSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08889892-1EC6-4883-801D-77F56CFD010A}\ProxyStubClsid32	MEmuSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93BADC0C-61D9-4940-A084-E6BB29AF3D8A}\ProxyStubClsid32	MEmuSVC.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{486fd828-4c6b-239b-a846-c4bb69e4103a}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{316C99A2-405D-41AF-8508-46889144D06A}\TypeLib	MEmuManage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{d2937a8e-cb8d-4382-90ba-b7da78a7457a}\TypeLib	MEmuManage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EDBA9D10-45D8-B440-1712-46AC0C9BC4CA}\TypeLib\Version = "1.3"	MEmuSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4EE3CBCB-486F-40DB-9150-DEEE3FD2418A}\ProxyStubClsid32	MEmuManage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49B19D41-4A75-7BD5-C124-259ACBA3C41A}\TypeLib	MEmuSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{715212bf-da59-426e-8230-3831faa52c5a}\NumMethods\ = "13"	MEmuManage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C1CDB6BF-44CB-E334-66FA-469A17FD09DA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08889892-1EC6-4883-801D-77F56CFD010A}\ = "INetworkAdapterChangedEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{179F8647-319C-4E7E-8150-C5837BD265FA}\ = "IGuestMouseEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{334df94a-7556-4cbc-8c04-043096b02d8a}	MEmuSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B9ACD33F-647D-45AC-8FE9-F49B3183BA3A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{747E397E-69C8-45A0-88D9-F7F07096071A}\TypeLib	MEmuSVC.exe
Key created	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0ca2adba-8f30-401b-a8cd-fe31dbe839ca}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B14290AD-CD54-400C-B858-797BCB82570A}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{01ADB2D6-AEDF-461C-BE2C-99E91BDAD8AA}\NumMethods	MEmuManage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{455F8C45-44A0-A470-BA20-27890B96DBAA}\ProxyStubClsid32	MEmuManage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MemuHyperv.MemuHyperv\CLSID	MEmuSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{fb220201-2fd3-47e2-a5dc-2c2431d833ca}	MEmuManage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9B9E1CF-CB63-47A1-84FB-02C4894B89AA}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F63597A-26F1-4EDB-8DD2-6BDDD091236A}\NumMethods\ = "16"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4AFE423B-43E0-E9D0-82E8-CEB307940DD1}\ProxyStubClsid32	MEmuSVC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1\MRUListEx = ffffffff	OpenWith.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2514881b-23d0-430a-a7ff-7ed7f05534ba}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F73650F4-4506-50CA-045A-23A0E32EA50A}\ = "IDirectory"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{747E397E-69C8-45A0-88D9-F7F07096071A}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24EEF068-C380-4510-BC7C-19314A7352FA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFA7E4F5-B4A4-44CE-85A8-127AC5EB59DA}\TypeLib\Version = "1.3"	MEmuSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{c48f3401-4a9e-43f4-b7a7-54bd285e22fa}	MEmuSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{aeccc0a8-e0a0-427f-b946-c42063f54d8a}\ProxyStubClsid32	MEmuManage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B6E1AEE-35F3-4F4D-B5BB-ED0ECEFD853A}\ = "IEventSource"	regsvr32.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

6384 reg.exe

pid	process
6384	reg.exe

Modifies system certificate store 2 TTPs 18 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

rsWSC.exersEngineSvc.exersEDRSvc.exersEngineSvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	rsWSC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	rsEDRSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 1900000001000000100000009f687581f7ef744ecfc12b9cee6238f10f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa2040000000100000010000000be954f16012122448ca8bc279602acf52000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	rsEngineSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	rsEDRSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	rsEDRSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	rsEDRSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	rsWSC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	rsWSC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 5c000000010000000400000000100000040000000100000010000000be954f16012122448ca8bc279602acf5030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e1900000001000000100000009f687581f7ef744ecfc12b9cee6238f12000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 0f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 040000000100000010000000be954f16012122448ca8bc279602acf5030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e2000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	rsEDRSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rsEngineSvc.exe

NTFS ADS 2 IoCs

Processes:

chrome.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\MEmu-setup-abroad-02bf66ec.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry-main.zip:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 9 IoCs

Processes:

MEmu-setup-abroad-02bf66ec.exeSetup.exevlc.exeMEmuRepair.exeMEmuConsole.exeMEmu.exeMEmu.exescreenrecord.exeMEmuRepair.exe

pid	process
7072	MEmu-setup-abroad-02bf66ec.exe
8064	Setup.exe
8084	vlc.exe
1296	MEmuRepair.exe
5816	MEmuConsole.exe
8128	MEmu.exe
948	MEmu.exe
1476	screenrecord.exe
3964	MEmuRepair.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exeMEmu-setup-abroad-02bf66ec.exeUnifiedStub-installer.exeSetup.exeMEmuConsole.exe

pid	process
2476	chrome.exe
2476	chrome.exe
6536	chrome.exe
6536	chrome.exe
6536	chrome.exe
6536	chrome.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
6532	UnifiedStub-installer.exe
6532	UnifiedStub-installer.exe
6532	UnifiedStub-installer.exe
6532	UnifiedStub-installer.exe
6532	UnifiedStub-installer.exe
6532	UnifiedStub-installer.exe
6532	UnifiedStub-installer.exe
6532	UnifiedStub-installer.exe
6532	UnifiedStub-installer.exe
6532	UnifiedStub-installer.exe
6532	UnifiedStub-installer.exe
6532	UnifiedStub-installer.exe
6532	UnifiedStub-installer.exe
6532	UnifiedStub-installer.exe
6532	UnifiedStub-installer.exe
6532	UnifiedStub-installer.exe
6532	UnifiedStub-installer.exe
6532	UnifiedStub-installer.exe
6532	UnifiedStub-installer.exe
6532	UnifiedStub-installer.exe
6532	UnifiedStub-installer.exe
6532	UnifiedStub-installer.exe
8064	Setup.exe
8064	Setup.exe
8064	Setup.exe
8064	Setup.exe
8064	Setup.exe
8064	Setup.exe
8064	Setup.exe
8064	Setup.exe
8064	Setup.exe
8064	Setup.exe
8064	Setup.exe
8064	Setup.exe
8064	Setup.exe
8064	Setup.exe
8064	Setup.exe
8064	Setup.exe
5816	MEmuConsole.exe
5816	MEmuConsole.exe
8064	Setup.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

MEmu-setup-abroad-02bf66ec.exevlc.exeMEmuConsole.exeOpenWith.exe@[email protected]

pid process

7072 MEmu-setup-abroad-02bf66ec.exe
8084 vlc.exe
5816 MEmuConsole.exe
7368 OpenWith.exe
4704 @[email protected]
Suspicious behavior: LoadsDriver 4 IoCs

Processes:

fltmc.exe

pid process

3088 fltmc.exe
656
656
656

pid	process
3088	fltmc.exe
656
656
656

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

Processes:

chrome.exe

pid	process
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe

Suspicious use of SendNotifyMessage 56 IoCs

Processes:

chrome.exevlc.exeMEmuConsole.exemsedge.exersAppUI.exersAppUI.exersAppUI.exe

pid	process
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
8084	vlc.exe
8084	vlc.exe
8084	vlc.exe
8084	vlc.exe
8084	vlc.exe
8084	vlc.exe
8084	vlc.exe
8084	vlc.exe
5816	MEmuConsole.exe
5816	MEmuConsole.exe
5816	MEmuConsole.exe
5816	MEmuConsole.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
7832	rsAppUI.exe
7832	rsAppUI.exe
7832	rsAppUI.exe
7832	rsAppUI.exe
7832	rsAppUI.exe
7832	rsAppUI.exe
7832	rsAppUI.exe
7832	rsAppUI.exe
2896	rsAppUI.exe
2896	rsAppUI.exe
2896	rsAppUI.exe
2896	rsAppUI.exe
2896	rsAppUI.exe
2896	rsAppUI.exe
8788	rsAppUI.exe
8788	rsAppUI.exe
8788	rsAppUI.exe
8788	rsAppUI.exe
8788	rsAppUI.exe
8788	rsAppUI.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

MEmu-setup-abroad-02bf66ec.exeMiniSearchHost.exeSetup.exe7za.exevlc.exe7za.exe7za.exeMEmuManage.exeMEmuSVC.exeMEmuSVC.exeMEmuSVC.exeMEmuSVC.exeMEmuManage.exeMEmuSVC.exeMEmuRepair.exeMEmuManage.exeMEmuManage.exeMEmuc.exeMEmuConsole.exe

pid	process
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
3724	MiniSearchHost.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
7072	MEmu-setup-abroad-02bf66ec.exe
8064	Setup.exe
8064	Setup.exe
8064	Setup.exe
8064	Setup.exe
8064	Setup.exe
8064	Setup.exe
8064	Setup.exe
1076	7za.exe
8084	vlc.exe
6240	7za.exe
7268	7za.exe
7804	MEmuManage.exe
7744	MEmuSVC.exe
5544	MEmuSVC.exe
2372	MEmuSVC.exe
2724	MEmuSVC.exe
7784	MEmuManage.exe
7440	MEmuSVC.exe
8064	Setup.exe
8064	Setup.exe
8064	Setup.exe
8064	Setup.exe
1296	MEmuRepair.exe
1296	MEmuRepair.exe
8064	Setup.exe
4132	MEmuManage.exe
7628	MEmuManage.exe
7480	MEmuc.exe
7480	MEmuc.exe
5816	MEmuConsole.exe
5816	MEmuConsole.exe
7480	MEmuc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2476 wrote to memory of 2388	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 2388	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3108	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3108	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3108	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3108	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3108	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3108	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3108	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3108	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3108	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3108	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3108	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3108	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3108	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3108	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3108	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3108	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3108	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3108	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3108	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3108	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3108	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3108	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3108	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3108	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3108	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3108	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3108	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3108	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3108	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3108	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3788	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3788	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3632	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3632	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3632	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3632	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3632	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3632	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3632	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3632	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3632	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3632	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3632	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3632	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3632	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3632	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3632	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3632	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3632	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3632	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3632	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3632	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3632	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3632	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3632	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3632	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3632	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3632	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3632	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3632	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3632	2476	chrome.exe	chrome.exe
PID 2476 wrote to memory of 3632	2476	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid process

5512 attrib.exe
3420 attrib.exe
8088 attrib.exe

pid	process
5512	attrib.exe
3420	attrib.exe
8088	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://among-us.en.softonic.com/
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa41e0cc40,0x7ffa41e0cc4c,0x7ffa41e0cc58
2⤵
PID:2388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1756,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1740 /prefetch:2
2⤵
PID:3108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1736,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2096 /prefetch:3
2⤵
PID:3788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2164,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2340 /prefetch:8
2⤵
PID:3632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3100 /prefetch:1
2⤵
PID:2808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3136 /prefetch:1
2⤵
PID:344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4440,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3732 /prefetch:1
2⤵
PID:1544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3724,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4528 /prefetch:1
2⤵
PID:1204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4672,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4700 /prefetch:1
2⤵
PID:1272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4840,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4824 /prefetch:1
2⤵
PID:2416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3680,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5464 /prefetch:8
2⤵
PID:3948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5128,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5460 /prefetch:1
2⤵
PID:1120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5112,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5036 /prefetch:1
2⤵
PID:1380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5660,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5680 /prefetch:1
2⤵
PID:3276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5808,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5824 /prefetch:1
2⤵
PID:3172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5816,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5964 /prefetch:1
2⤵
PID:1960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5984,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6108 /prefetch:1
2⤵
PID:3984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5656,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6348 /prefetch:1
2⤵
PID:3032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=6092,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6364 /prefetch:1
2⤵
PID:4008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=6632,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6616 /prefetch:1
2⤵
PID:1020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=6768,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6788 /prefetch:1
2⤵
PID:4728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6936,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6604 /prefetch:1
2⤵
PID:1128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=6488,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6588 /prefetch:1
2⤵
PID:3680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=7228,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=7076 /prefetch:1
2⤵
PID:1116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=7220,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=7356 /prefetch:1
2⤵
PID:2412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=7520,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=7224 /prefetch:1
2⤵
PID:4408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=7704,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=7532 /prefetch:1
2⤵
PID:5336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=7224,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=7712 /prefetch:1
2⤵
PID:5516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=6716,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=7824 /prefetch:1
2⤵
PID:5524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=6680,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=7792 /prefetch:1
2⤵
PID:5664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=7576,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=7784 /prefetch:1
2⤵
PID:5268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=6712,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6700 /prefetch:1
2⤵
PID:5244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=8020,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=8040 /prefetch:1
2⤵
PID:5252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=8176,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=8184 /prefetch:1
2⤵
PID:5448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=8372,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=8380 /prefetch:1
2⤵
PID:5552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=8456,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=8448 /prefetch:1
2⤵
PID:5688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=8472,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=8588 /prefetch:1
2⤵
PID:5728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=8568,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=8732 /prefetch:1
2⤵
PID:5680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --field-trial-handle=8716,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=8868 /prefetch:1
2⤵
PID:5708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --field-trial-handle=9004,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=8708 /prefetch:1
2⤵
PID:5700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --field-trial-handle=9144,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=9156 /prefetch:1
2⤵
PID:5724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=9020,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=9360 /prefetch:1
2⤵
PID:6084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --field-trial-handle=9432,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=9448 /prefetch:1
2⤵
PID:6096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --field-trial-handle=9620,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=9188 /prefetch:1
2⤵
PID:5196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --field-trial-handle=9044,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=8752 /prefetch:1
2⤵
PID:4008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --field-trial-handle=8808,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=9520 /prefetch:1
2⤵
PID:5344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --field-trial-handle=8748,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=8776 /prefetch:1
2⤵
PID:5944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --field-trial-handle=9244,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=9552 /prefetch:1
2⤵
PID:5704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --field-trial-handle=8496,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=8480 /prefetch:1
2⤵
PID:3864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --field-trial-handle=3508,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=8476 /prefetch:1
2⤵
PID:2752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --field-trial-handle=5948,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=7064 /prefetch:1
2⤵
PID:5128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --field-trial-handle=5972,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5560 /prefetch:1
2⤵
PID:3692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --field-trial-handle=5284,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=7124 /prefetch:1
2⤵
PID:3804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --field-trial-handle=6360,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6284 /prefetch:1
2⤵
PID:3988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --field-trial-handle=7304,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6780 /prefetch:1
2⤵
PID:3376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --field-trial-handle=6924,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=8312 /prefetch:1
2⤵
PID:5320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --field-trial-handle=6004,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6996 /prefetch:1
2⤵
PID:2688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --field-trial-handle=5044,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4332 /prefetch:1
2⤵
PID:5412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --field-trial-handle=7012,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6972 /prefetch:1
2⤵
PID:5992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --field-trial-handle=6104,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5036 /prefetch:1
2⤵
PID:6028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --field-trial-handle=9692,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=9672 /prefetch:1
2⤵
PID:4704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --field-trial-handle=5676,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=9616 /prefetch:1
2⤵
PID:4220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --field-trial-handle=6548,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3100 /prefetch:1
2⤵
PID:4292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --field-trial-handle=9240,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=7804 /prefetch:1
2⤵
PID:4728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --field-trial-handle=9532,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6820 /prefetch:1
2⤵
PID:3032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --field-trial-handle=6864,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5884 /prefetch:1
2⤵
PID:4416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --field-trial-handle=5700,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5788 /prefetch:1
2⤵
PID:1420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --field-trial-handle=9488,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4736 /prefetch:1
2⤵
PID:5408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --field-trial-handle=4740,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=7784 /prefetch:1
2⤵
PID:5812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --field-trial-handle=4744,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=7468 /prefetch:1
2⤵
PID:5824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --field-trial-handle=8564,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=9420 /prefetch:1
2⤵
PID:992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=9412,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=9184 /prefetch:8
2⤵
PID:5384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --field-trial-handle=6308,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=9368 /prefetch:1
2⤵
PID:1104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --field-trial-handle=6164,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=7660 /prefetch:1
2⤵
PID:5800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --field-trial-handle=8300,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=9088 /prefetch:1
2⤵
PID:5768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --field-trial-handle=9808,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=9776 /prefetch:1
2⤵
PID:5372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --field-trial-handle=8772,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=9816 /prefetch:1
2⤵
PID:3008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --field-trial-handle=8084,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3236 /prefetch:1
2⤵
PID:5284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --field-trial-handle=6756,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5264 /prefetch:1
2⤵
PID:2740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --field-trial-handle=8692,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4568 /prefetch:1
2⤵
PID:4524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --field-trial-handle=9872,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6644 /prefetch:1
2⤵
PID:4308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --field-trial-handle=9756,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=10052 /prefetch:1
2⤵
PID:5896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --field-trial-handle=10080,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=9480 /prefetch:1
2⤵
PID:2500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --field-trial-handle=10096,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6520 /prefetch:1
2⤵
PID:5608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --field-trial-handle=8628,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=7776 /prefetch:1
2⤵
PID:4884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --field-trial-handle=7500,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4828 /prefetch:1
2⤵
PID:2332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --field-trial-handle=7716,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=7592 /prefetch:1
2⤵
PID:4608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --field-trial-handle=6496,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=7112 /prefetch:1
2⤵
PID:2684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --field-trial-handle=6464,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=9536 /prefetch:1
2⤵
PID:2720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=90 --field-trial-handle=9596,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=10132 /prefetch:1
2⤵
PID:2464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --field-trial-handle=9316,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=9472 /prefetch:1
2⤵
PID:5848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --field-trial-handle=7604,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=10368 /prefetch:1
2⤵
PID:6168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --field-trial-handle=7916,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=10520 /prefetch:1
2⤵
PID:6288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --field-trial-handle=10648,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6740 /prefetch:1
2⤵
PID:6340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --field-trial-handle=10476,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=10800 /prefetch:1
2⤵
PID:6428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --field-trial-handle=10948,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=10960 /prefetch:1
2⤵
PID:6480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=97 --field-trial-handle=11140,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6136 /prefetch:1
2⤵
PID:6592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=98 --field-trial-handle=11256,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=11268 /prefetch:1
2⤵
PID:6600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=99 --field-trial-handle=11456,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=11444 /prefetch:1
2⤵
PID:6668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=100 --field-trial-handle=11396,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=11152 /prefetch:1
2⤵
PID:6676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=101 --field-trial-handle=11776,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=11476 /prefetch:1
2⤵
PID:7072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=102 --field-trial-handle=11744,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=11728 /prefetch:1
2⤵
PID:7112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=103 --field-trial-handle=10976,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=10692 /prefetch:1
2⤵
PID:6972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=104 --field-trial-handle=9912,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6564 /prefetch:1
2⤵
PID:6300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=105 --field-trial-handle=7244,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=8140 /prefetch:1
2⤵
PID:6196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=106 --field-trial-handle=9028,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=10468 /prefetch:1
2⤵
PID:6272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=7052,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4896 /prefetch:8
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:6536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=8336,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=8384 /prefetch:8
2⤵
PID:5416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=8092,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=7272 /prefetch:8
2⤵
PID:1528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=110 --field-trial-handle=9528,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=7292 /prefetch:1
2⤵
PID:1436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=111 --field-trial-handle=6028,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=9036 /prefetch:1
2⤵
PID:5548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=112 --field-trial-handle=9012,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5000 /prefetch:1
2⤵
PID:5516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=113 --field-trial-handle=4968,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4716 /prefetch:1
2⤵
PID:7120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=114 --field-trial-handle=5032,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4296 /prefetch:1
2⤵
PID:5680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=8308,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6140 /prefetch:8
2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:6152

C:\Users\Admin\Downloads\MEmu-setup-abroad-02bf66ec.exe
"C:\Users\Admin\Downloads\MEmu-setup-abroad-02bf66ec.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:7072

C:\Program Files\Microvirt\tempDir\Setup.exe
"C:\Program Files\Microvirt\tempDir\Setup.exe" --insPath "C:\Program Files\Microvirt" -l 2 --channel cd5e1e15 --noCheckMd5 --callbackProcessInfo --callbackExitCode /S
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:8064

C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuSVC
4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:6384

C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuSVC
4⤵
- Launches sc.exe
PID:5996

C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuUSB
4⤵
- Launches sc.exe
PID:2596

C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuNetFlt
4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:856

C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuNetLwf
4⤵
- Launches sc.exe
PID:3044

C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuNetAdp
4⤵
- Launches sc.exe
PID:7472

C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuNetFlt
4⤵
- Launches sc.exe
PID:7648

C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuNetLwf
4⤵
- Launches sc.exe
PID:7808

C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuNetAdp
4⤵
- Launches sc.exe
PID:7620

C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuUSBMon
4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:7396

C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuDrv
4⤵
- Launches sc.exe
PID:5376

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" query MEmuDrv
4⤵
- Launches sc.exe
PID:576

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" query MEmuUSBMon
4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:7484

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" query MEmuNetFlt
4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3376

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" query MEmuNetLwf
4⤵
- Launches sc.exe
PID:5884

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" query MEmuNetAdp
4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1320

C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuSVC
4⤵
- Launches sc.exe
PID:5636

C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuSVC
4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:7816

C:\Program Files\Microvirt\tempDir\7za.exe
"C:\Program Files\Microvirt\tempDir\7za.exe" x -y -aoa "C:\Program Files\Microvirt\tempDir\Setup.7z" "-oC:\Program Files\Microvirt"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1076

C:\Program Files\Microvirt\tempDir\7za.exe
"C:\Program Files\Microvirt\tempDir\7za.exe" x -y -aoa "C:\Program Files\Microvirt\MEmuHyperv64.7z" "-oC:\Program Files\Microvirt\MEmuHyperv"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:6240

C:\Program Files\Microvirt\tempDir\7za.exe
"C:\Program Files\Microvirt\tempDir\7za.exe" x -y -aoa "C:\Program Files\Microvirt\MEmuHyperv32.7z" "-oC:\Program Files\Microvirt\MEmuHyperv\x86" libcurl.dll libcrypto-1_1.dll libssl-1_1.dll msvcp100.dll msvcr100.dll msvcr120.dll MEmuC.dll MEmuHPV.dll MEmuProxyStub.dll MEmuREM.dll MEmuRT.dll
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:7268

C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuDrv
4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2816

C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe
"C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe" driver install "C:\Program Files\Microvirt\MEmuHyperv\MEmuDrv.inf"
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:5868

C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe
"C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe" list runningvms
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7804

C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe
"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" /UnregServer
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5544

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuC.dll"
4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:7184

C:\Windows\system32\regsvr32.exe
/s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuC.dll"
5⤵
- Loads dropped DLL
PID:7352

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuProxyStub.dll"
4⤵
- Loads dropped DLL
PID:4880

C:\Windows\system32\regsvr32.exe
/s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuProxyStub.dll"
5⤵
- Loads dropped DLL
- Modifies registry class
PID:436

C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe
"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" /RegServer
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2372

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" /s "C:\Program Files\Microvirt\MEmuHyperv\MEmuC.dll"
4⤵
PID:8172

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files\Microvirt\MEmuHyperv\MEmuC.dll"
5⤵
PID:1728

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" /s "C:\Program Files\Microvirt\MEmuHyperv\MEmuProxyStub.dll"
4⤵
PID:3528

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files\Microvirt\MEmuHyperv\MEmuProxyStub.dll"
5⤵
- Modifies registry class
PID:5540

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" /s "C:\Program Files\Microvirt\MEmuHyperv\x86\MEmuC.dll"
4⤵
PID:3796

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" /s "C:\Program Files\Microvirt\MEmuHyperv\x86\MEmuProxyStub.dll"
4⤵
- Modifies registry class
PID:1212

C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuSVC
4⤵
- Launches sc.exe
PID:920

C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuSVC
4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5624

C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuSVC
4⤵
- Launches sc.exe
PID:7572

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc start MEmuSVC
4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:7584

C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuSVC
4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:8092

C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe
"C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe" setproperty machinefolder "C:\Program Files\Microvirt\MEmu\MemuHyperv VMs"
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7784

C:\Program Files\Microvirt\MEmu\MEmuRepair.exe
"C:\Program Files\Microvirt\MEmu\MEmuRepair.exe" --getVtStatus
4⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1296

C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe
"C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe" setproperty machinefolder "C:\Program Files\Microvirt\MEmu\MemuHyperv VMs"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4132

C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe
"C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe" showmediuminfo "C:\Program Files\Microvirt\MEmu\image\96\MEmu96-2024072300027FFF-disk1.vmdk"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:7628

C:\Program Files\Microvirt\MEmu\MEmuc.exe
"C:\Program Files\Microvirt\MEmu\MEmuc.exe" create 96
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:7480

C:\Program Files\Microvirt\MEmu\MEmuConsole.exe
"C:\Program Files\Microvirt\MEmu\MEmuConsole.exe" -b
5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5816

C:\Program Files\Microvirt\MEmu\MEmu.exe
"C:\Program Files\Microvirt\MEmu\MEmu.exe" adjustconfig MEmu
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
PID:8128

C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe
"C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe" list runningvms
4⤵
- Executes dropped EXE
PID:3264

C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe
"C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe" list runningvms
4⤵
- Executes dropped EXE
PID:6516

C:\Program Files\Microvirt\MEmu\screenrecord.exe
"C:\Program Files\Microvirt\MEmu\screenrecord.exe"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
PID:1476

C:\Program Files\Microvirt\MEmu\MEmu.exe
"C:\Program Files\Microvirt\MEmu\MEmu.exe" install
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
PID:948

C:\Windows\SysWOW64\explorer.exe
explorer.exe "http://www.memuplay.com/thanks/"
4⤵
- System Location Discovery: System Language Discovery
PID:3476

C:\Program Files\Microvirt\MEmu\MEmuRepair.exe
"C:\Program Files\Microvirt\MEmu\MEmuRepair.exe" --getVtStatus
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7072 -s 1068
3⤵
- Program crash
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7072 -s 1068
3⤵
- Program crash
PID:3132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=116 --field-trial-handle=8928,i,15089026355756741181,10630322601592136183,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6076 /prefetch:1
2⤵
PID:1380

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1224

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004F0 0x00000000000004C8
1⤵
PID:5456

C:\Users\Admin\AppData\Local\Temp\Product_files\rsStubActivator.exe
"C:\Users\Admin\AppData\Local\Temp\Product_files\rsStubActivator.exe" -ip:"dui=8a7417d2526f9dfe645041098830c6ca6446be80&dit=20240725092268256&is_silent=true&oc=DOT_RAV_Cross_Tri_NCB&p=c52b&a=100&b=&se=true" -vp:"dui=8a7417d2526f9dfe645041098830c6ca6446be80&dit=20240725092268256&oc=DOT_RAV_Cross_Tri_NCB&p=c52b&a=100&oip=26&ptl=7&dta=true" -dp:"dui=8a7417d2526f9dfe645041098830c6ca6446be80&dit=20240725092268256&oc=DOT_RAV_Cross_Tri_NCB&p=c52b&a=100" -i -v -d
1⤵
- Executes dropped EXE
PID:2932

C:\Users\Admin\AppData\Local\Temp\krtk0b1r.exe
"C:\Users\Admin\AppData\Local\Temp\krtk0b1r.exe" /silent
2⤵
- Executes dropped EXE
PID:424

C:\Users\Admin\AppData\Local\Temp\7zS8A10DD5A\UnifiedStub-installer.exe
.\UnifiedStub-installer.exe /silent
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:6532

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
4⤵
- Executes dropped EXE
PID:4704

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
4⤵
- Adds Run key to start application
PID:7732

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
5⤵
- Checks processor information in registry
PID:7812

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
6⤵
PID:3948

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
4⤵
PID:6008

C:\Windows\SYSTEM32\fltmc.exe
"fltmc.exe" load rsKernelEngine
4⤵
- Suspicious behavior: LoadsDriver
PID:3088

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml
4⤵
PID:7028

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i
4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:4380

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" -i
4⤵
PID:2656

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe" -i
4⤵
- Modifies system certificate store
PID:8000

C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe
"C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe" -i
4⤵
PID:780

C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe" -i -i
4⤵
PID:428

C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe" -i -i
4⤵
- Drops file in Program Files directory
PID:4852

\??\c:\windows\system32\rundll32.exe
"c:\windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\DNS\rsDwf.inf
4⤵
- Adds Run key to start application
PID:8160

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
5⤵
- Checks processor information in registry
PID:7912

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
6⤵
PID:5352

C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe" -i -i
4⤵
PID:8288

C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe" -i -service install
4⤵
PID:4924

C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe" -service install
4⤵
PID:6796

C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe" -i -i
4⤵
PID:6448

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
- Executes dropped EXE
PID:6844

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:6216

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5392

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\EditConvertFrom.mp3"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:8084

C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe
"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:7744

C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe
"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2724

C:\Program Files\Microvirt\MEmu\MemuService.exe
"C:\Program Files\Microvirt\MEmu\MemuService.exe"
1⤵
- Executes dropped EXE
PID:4964

C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe
"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:7440

C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe
"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Modifies registry class
PID:1172

C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe
"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Modifies registry class
PID:1516

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.memuplay.com/thanks/
2⤵
- Enumerates system info in registry
- Suspicious use of SendNotifyMessage
PID:4120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffa203b3cb8,0x7ffa203b3cc8,0x7ffa203b3cd8
3⤵
PID:1212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,14091160954729850512,14613594463427377704,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1956 /prefetch:2
3⤵
PID:7808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,14091160954729850512,14613594463427377704,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
3⤵
PID:7660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,14091160954729850512,14613594463427377704,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:8
3⤵
PID:1900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,14091160954729850512,14613594463427377704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
3⤵
PID:5888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,14091160954729850512,14613594463427377704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
3⤵
PID:2292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,14091160954729850512,14613594463427377704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
3⤵
PID:7224

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,14091160954729850512,14613594463427377704,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5812 /prefetch:8
3⤵
PID:7812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1928,14091160954729850512,14613594463427377704,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:8
3⤵
PID:5924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,14091160954729850512,14613594463427377704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2768 /prefetch:1
3⤵
PID:2588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,14091160954729850512,14613594463427377704,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
3⤵
PID:1100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,14091160954729850512,14613594463427377704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
3⤵
PID:6536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,14091160954729850512,14613594463427377704,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
3⤵
PID:6452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,14091160954729850512,14613594463427377704,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4068 /prefetch:2
3⤵
PID:6344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,14091160954729850512,14613594463427377704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
3⤵
PID:1612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,14091160954729850512,14613594463427377704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
3⤵
PID:6896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1928,14091160954729850512,14613594463427377704,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4996 /prefetch:8
3⤵
PID:7296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1928,14091160954729850512,14613594463427377704,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5468 /prefetch:8
3⤵
PID:7344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,14091160954729850512,14613594463427377704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
3⤵
PID:5208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,14091160954729850512,14613594463427377704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
3⤵
PID:6704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,14091160954729850512,14613594463427377704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
3⤵
PID:5068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,14091160954729850512,14613594463427377704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
3⤵
PID:6028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,14091160954729850512,14613594463427377704,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6392 /prefetch:8
3⤵
- NTFS ADS
PID:3472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7072 -ip 7072
1⤵
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 7072 -ip 7072
1⤵
PID:5972

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:3964

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1224

C:\Windows\System32\dialer.exe
"C:\Windows\System32\dialer.exe"
1⤵
PID:7172

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:7364

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Executes dropped EXE
PID:6016

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Executes dropped EXE
PID:6168

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:7368

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Executes dropped EXE
PID:8040

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\WannaCry.EXE"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:1424

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:5512

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5204

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:7944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 37661721899678.bat
2⤵
- System Location Discovery: System Language Discovery
PID:5580

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
PID:7552

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:3420

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
PID:4524

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
PID:748

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
- System Location Discovery: System Language Discovery
PID:3032

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
PID:7420

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
- System Location Discovery: System Language Discovery
PID:5492

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- System Location Discovery: System Language Discovery
PID:3792

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1632

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
- Executes dropped EXE
PID:7480

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
PID:5040

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "jfzplzsiyhdjbb859" /t REG_SZ /d "\"C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\tasksche.exe\"" /f
2⤵
PID:7868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "jfzplzsiyhdjbb859" /t REG_SZ /d "\"C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:6384

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6792

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
- Executes dropped EXE
PID:6820

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
PID:428

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:8044

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
- Executes dropped EXE
PID:6728

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
PID:6312

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
- Executes dropped EXE
PID:420

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3152

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2416

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4460

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
PID:3192

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3224

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:8076

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
PID:4996

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:720

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
- Executes dropped EXE
PID:3032

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
PID:7444

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- System Location Discovery: System Language Discovery
PID:5348

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
PID:1692

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
PID:4716

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
PID:2684

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
- System Location Discovery: System Language Discovery
PID:3580

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
- System Location Discovery: System Language Discovery
PID:2636

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
PID:3128

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
PID:3876

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
PID:2656

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
PID:7968

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
PID:5892

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
PID:5916

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
PID:7608

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
PID:1696

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
PID:6656

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- System Location Discovery: System Language Discovery
PID:7344

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
PID:2864

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
- System Location Discovery: System Language Discovery
PID:6036

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- System Location Discovery: System Language Discovery
PID:4924

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
PID:1124

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
PID:6184

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- System Location Discovery: System Language Discovery
PID:4016

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
PID:240

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
PID:3112

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- System Location Discovery: System Language Discovery
PID:2300

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
PID:5228

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
PID:2884

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
PID:6424

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
PID:5268

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
PID:7396

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- System Location Discovery: System Language Discovery
PID:5200

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
PID:5856

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
PID:5708

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
PID:4500

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
- System Location Discovery: System Language Discovery
PID:4584

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
- System Location Discovery: System Language Discovery
PID:6012

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- System Location Discovery: System Language Discovery
PID:1236

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
- System Location Discovery: System Language Discovery
PID:3376

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
PID:6348

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
PID:7032

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
PID:7260

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
PID:3032

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
PID:7528

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
- System Location Discovery: System Language Discovery
PID:4984

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
PID:668

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- System Location Discovery: System Language Discovery
PID:4468

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
- System Location Discovery: System Language Discovery
PID:7344

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
PID:8180

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
PID:5428

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
- System Location Discovery: System Language Discovery
PID:3748

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
PID:2964

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
PID:5984

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
PID:8840

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
- System Location Discovery: System Language Discovery
PID:8672

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
PID:8968

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
PID:8640

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
PID:8664

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
PID:7488

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
PID:1232

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
PID:4844

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
PID:7460

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- System Location Discovery: System Language Discovery
PID:2792

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
- System Location Discovery: System Language Discovery
PID:9200

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- System Location Discovery: System Language Discovery
PID:2768

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
PID:2552

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
PID:8396

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
PID:4472

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- System Location Discovery: System Language Discovery
PID:944

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:8088

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
PID:1892

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- System Location Discovery: System Language Discovery
PID:6192

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
- System Location Discovery: System Language Discovery
PID:7908

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
PID:5604

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
- System Location Discovery: System Language Discovery
PID:8344

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- System Location Discovery: System Language Discovery
PID:244

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
- System Location Discovery: System Language Discovery
PID:8504

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
PID:3136

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
PID:8620

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
- System Location Discovery: System Language Discovery
PID:4196

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
- System Location Discovery: System Language Discovery
PID:1176

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
- System Location Discovery: System Language Discovery
PID:8744

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
- System Location Discovery: System Language Discovery
PID:4452

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
PID:4952

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
PID:6848

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
- System Location Discovery: System Language Discovery
PID:8408

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5280

C:\Users\Admin\Desktop\@[email protected]
"C:\Users\Admin\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:4704

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Executes dropped EXE
PID:7088

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Executes dropped EXE
PID:7664

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
PID:7612

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
PID:5628

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
PID:7284

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
PID:5068

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
PID:4688

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
PID:6556

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe"
1⤵
PID:2592

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe"
1⤵
- Checks BIOS information in registry
- Enumerates connected drives
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:2796

\??\c:\program files\reasonlabs\epp\rsHelper.exe
"c:\program files\reasonlabs\epp\rsHelper.exe"
2⤵
PID:5260

\??\c:\program files\reasonlabs\EPP\ui\EPP.exe
"c:\program files\reasonlabs\EPP\ui\EPP.exe" --minimized --first-run
2⤵
PID:2700

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\EPP\ui\app.asar" --engine-path="c:\program files\reasonlabs\EPP" --minimized --first-run
3⤵
- Drops file in Windows directory
- Suspicious use of SendNotifyMessage
PID:7832

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2148 --field-trial-handle=2152,i,8132502314646316747,10157169520323956346,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
PID:3012

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2548 --field-trial-handle=2152,i,8132502314646316747,10157169520323956346,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
4⤵
PID:4544

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2716 --field-trial-handle=2152,i,8132502314646316747,10157169520323956346,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
PID:5764

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3764 --field-trial-handle=2152,i,8132502314646316747,10157169520323956346,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
PID:3876

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2664 --field-trial-handle=2152,i,8132502314646316747,10157169520323956346,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
PID:2700

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=4112 --field-trial-handle=2152,i,8132502314646316747,10157169520323956346,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
PID:7740

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4056 --field-trial-handle=2152,i,8132502314646316747,10157169520323956346,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
PID:2420

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2704 --field-trial-handle=2152,i,8132502314646316747,10157169520323956346,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
PID:9084

C:\program files\reasonlabs\epp\rsLitmus.A.exe
"C:\program files\reasonlabs\epp\rsLitmus.A.exe"
2⤵
PID:4336

C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe
"C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Checks system information in the registry
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:5168

C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe"
1⤵
PID:6132

C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
PID:8144

\??\c:\program files\reasonlabs\VPN\ui\VPN.exe
"c:\program files\reasonlabs\VPN\ui\VPN.exe" --minimized --focused --first-run
2⤵
PID:4924

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\VPN\ui\app.asar" --engine-path="c:\program files\reasonlabs\VPN" --minimized --focused --first-run
3⤵
- Drops file in Windows directory
- Suspicious use of SendNotifyMessage
PID:2896

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2176 --field-trial-handle=2180,i,534378622641506322,11637846537518787196,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
PID:3420

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --mojo-platform-channel-handle=2596 --field-trial-handle=2180,i,534378622641506322,11637846537518787196,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
4⤵
PID:7284

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --app-user-model-id=com.reasonlabs.vpn --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2708 --field-trial-handle=2180,i,534378622641506322,11637846537518787196,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
PID:7416

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --app-user-model-id=com.reasonlabs.vpn --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3772 --field-trial-handle=2180,i,534378622641506322,11637846537518787196,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
PID:1124

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3952 --field-trial-handle=2180,i,534378622641506322,11637846537518787196,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
PID:7556

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3808

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2092

C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe"
1⤵
PID:8172

C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe"
1⤵
PID:3772

C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe"
1⤵
- Modifies data under HKEY_USERS
PID:6492

\??\c:\program files\reasonlabs\DNS\ui\DNS.exe
"c:\program files\reasonlabs\DNS\ui\DNS.exe" --minimized --focused --first-run
2⤵
PID:8776

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\DNS\ui\app.asar" --engine-path="c:\program files\reasonlabs\DNS" --minimized --focused --first-run
3⤵
- Drops file in Windows directory
- Suspicious use of SendNotifyMessage
PID:8788

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2204 --field-trial-handle=2208,i,2782274783118277552,15049717645439074510,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
PID:4016

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --mojo-platform-channel-handle=2612 --field-trial-handle=2208,i,2782274783118277552,15049717645439074510,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
4⤵
PID:9176

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --app-user-model-id=com.reasonlabs.dns --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2740 --field-trial-handle=2208,i,2782274783118277552,15049717645439074510,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
PID:9212

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3660 --field-trial-handle=2208,i,2782274783118277552,15049717645439074510,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
PID:8212

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:8820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery