zgrat | 35f087ef288829bd545c2493a3be65386a002aeb9f4d6f349558a88c4e5e7f3e

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	utorrent.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Wine	utorrent.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	uTorrent.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Wine	uTorrent.exe

Loads dropped DLL 16 IoCs

pid	Process
2804	utorrent_installer.tmp
2804	utorrent_installer.tmp
2516	uTorrent.exe
2516	uTorrent.exe
2516	uTorrent.exe
2516	uTorrent.exe
1052	utorrent.exe
2516	uTorrent.exe
1832	OperaSetup.exe
1836	OperaSetup.exe
5088	OperaSetup.exe
4124	OperaSetup.exe
1340	2xoja4fh.exe
1668	OperaSetup.exe
1520	uTorrent.exe
1816	RAVEndPointProtection-installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x001900000002ab30-190.dat	upx
behavioral2/memory/1052-198-0x0000000000400000-0x00000000009C2000-memory.dmp	upx
behavioral2/memory/1052-243-0x0000000000400000-0x00000000009C2000-memory.dmp	upx
behavioral2/memory/1520-507-0x0000000000400000-0x00000000009C2000-memory.dmp	upx
behavioral2/memory/1520-899-0x0000000000400000-0x00000000009C2000-memory.dmp	upx
behavioral2/memory/1520-4469-0x0000000000400000-0x00000000009C2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Microsoft\Windows\CurrentVersion\Run\ut = "\"C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\uTorrent.exe\" /MINIMIZED"	uTorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Microsoft\Windows\CurrentVersion\Run\ut = "C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\uTorrent.exe /MINIMIZED"	utorrent.exe

Checks for any installed AV software in registry 1 TTPs 6 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	utorrent_installer.tmp
Key opened	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\SOFTWARE\AVG\AV\Dir	utorrent_installer.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	utorrent_installer.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	utorrent_installer.tmp
Key opened	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\SOFTWARE\AVAST Software\Avast	utorrent_installer.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	utorrent_installer.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\D:	OperaSetup.exe
File opened (read-only)	\??\F:	OperaSetup.exe
File opened (read-only)	\??\D:	OperaSetup.exe
File opened (read-only)	\??\F:	OperaSetup.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2920 set thread context of 1732	2920	updater.exe	98

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\en-US.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\zh-CN.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\updater.cab	installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\wa-core.js	installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\wa_install_close.png	installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\jslang\wa-res-shared-zh-CN.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\am.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\jslang\wa-res-install-en-US.js	installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\jslang\wa-res-install-ko-KR.js	installer.exe
File opened for modification	C:\Program Files\ReasonLabs\EPP\Uninstall.exe	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ms.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\downloadscan.cab	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\LICENSE	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\mcafee_pc_install_icon.png	installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\jslang\eula-pt-BR.txt	installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\jslang\wa-res-install-el-GR.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sv.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\browserplugin.cab	installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\jslang\wa-res-shared-el-GR.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ml.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\th.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\v8_context_snapshot.bin	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\jslang\eula-zh-TW.txt	installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\jslang\wa-res-install-sr-Latn-CS.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\fi.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\jslang\eula-el-GR.txt	installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\jslang\eula-en-US.txt	installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\jslang\eula-ja-JP.txt	installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\jslang\eula-pt-PT.txt	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\Uninstall.exe	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\snapshot_blob.bin	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\balloon_safe_annotation.png	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\libGLESv2.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\nb.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\jslang\wa-res-shared-fr-CA.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\bg.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vk_swiftshader_icd.json	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\wa-install.html	installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\wataskmanager.cab	installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\jslang\wa-res-shared-sr-Latn-CS.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\bn.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\jslang\wa-res-install-it-IT.js	installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\jslang\wa-res-install-sv-SE.js	installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\mfw-webadvisor.cab	installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\jslang\eula-de-DE.txt	installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\jslang\wa-res-install-nb-NO.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\da.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sw.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\jslang\wa-res-shared-hu-HU.js	installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\jslang\wa-res-shared-zh-TW.js	installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\wa-common.css	installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\jslang\eula-cs-CZ.txt	installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\jslang\eula-da-DK.txt	installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\jslang\wa-res-install-sk-SK.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\chrome_100_percent.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\te.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\webadvisor.cab	installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\jslang\eula-nl-NL.txt	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\es.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\jslang\wa-res-install-tr-TR.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\lt.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\Temp3591553004\jslang\wa-res-shared-pt-BR.js	installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	uTorrent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	uTorrent.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	uTorrent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	uTorrent.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	utorrent_installer.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	utorrent_installer.tmp

Creates scheduled task(s) 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
3284	schtasks.exe
7328	schtasks.exe
7172	schtasks.exe
4784	schtasks.exe
1028	schtasks.exe
3276	schtasks.exe
7108	schtasks.exe
8864	schtasks.exe
6100	schtasks.exe
4192	schtasks.exe
992	schtasks.exe
6776	schtasks.exe
6368	schtasks.exe
8948	schtasks.exe
7848	schtasks.exe
8712	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	uTorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\utorrentie.exe = "11000"	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	uTorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\utorrentie.exe = "1"	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CROSS_DOMAIN_REDIRECT_MITIGATION	uTorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CROSS_DOMAIN_REDIRECT_MITIGATION\utorrentie.exe = "0"	uTorrent.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\.btsearch\OpenWithProgids	utorrent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent\Extension = ".torrent"	utorrent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-skin\Extension = ".btskin"	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Magnet	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Magnet\ = "Magnet URI"	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Magnet\shell\open	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\bittorrent\ = "bittorrent URI"	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\.btinstall	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\.torrent	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\MIME\Database\Content Type\application/x-bittorrentsearchdescription+xml	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Magnet\shell\open\command	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\.btsearch\OpenWithProgids\uTorrent	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\.btsearch	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Magnet\Content Type = "application/x-magnet"	utorrent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-key	utorrent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-app\Extension = ".btapp"	utorrent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-skin	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Magnet\shell	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Magnet\DefaultIcon	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Applications\uTorrent.exe\shell	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Applications	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\.torrent\Content Type = "application/x-bittorrent"	utorrent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrentsearchdescription+xml\Extension = ".btsearch"	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\bittorrent\shell\open	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\bittorrent\shell\ = "open"	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\.btskin	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-skin\Extension = ".btskin"	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-key	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Applications\uTorrent.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\uTorrent.exe\" \"%1\" /SHELLASSOC"	utorrent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\uTorrent\Content Type	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Applications\uTorrent.exe	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Magnet\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\uTorrent.exe\" \"%1\" /SHELLASSOC"	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\bittorrent\DefaultIcon	utorrent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-appinst	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\bittorrent\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\maindoc.ico"	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\.btapp\Content Type = "application/x-bittorrent-app"	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\bittorrent\shell\open\command	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\.btapp	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\.btapp\ = "uTorrent"	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-skin	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\.btsearch\Content Type = "application/x-bittorrentsearchdescription+xml"	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Magnet\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\maindoc.ico"	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\uTorrent\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\uTorrent.exe\" \"%1\" /SHELLASSOC"	utorrent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrentsearchdescription+xml	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\MIME\Database\Content Type\application/x-bittorrentsearchdescription+xml\Extension = ".btsearch"	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Magnet\shell\ = "open"	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\.btskin\Content Type = "application/x-bittorrent-skin"	utorrent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-key\Extension = ".btkey"	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\uTorrent\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\maindoc.ico"	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\uTorrent\shell	utorrent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-app	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\.btkey\Content Type = "application/x-bittorrent-key"	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\FalconBetaAccount	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\MIME\Database\Content Type\application/x-bittorrent	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\MIME\Database\Content Type\application/x-bittorrent-appinst	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Applications\uTorrent.exe\shell\open\command	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\bittorrent\shell	utorrent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrent-appinst\Extension = ".btinstall"	utorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\uTorrent	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Magnet\URL Protocol	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\bittorrent\URL Protocol	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\.btskin\ = "uTorrent"	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\.btinstall\Content Type = "application/x-bittorrent-appinst"	utorrent.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1972	utorrent.exe
1972	utorrent.exe
2944	powershell.exe
2944	powershell.exe
1972	utorrent.exe
1972	utorrent.exe
1972	utorrent.exe
1972	utorrent.exe
1972	utorrent.exe
1972	utorrent.exe
2804	utorrent_installer.tmp
2804	utorrent_installer.tmp
2804	utorrent_installer.tmp
2804	utorrent_installer.tmp
2804	utorrent_installer.tmp
2804	utorrent_installer.tmp
2804	utorrent_installer.tmp
2804	utorrent_installer.tmp
2804	utorrent_installer.tmp
2804	utorrent_installer.tmp
2804	utorrent_installer.tmp
2804	utorrent_installer.tmp
2804	utorrent_installer.tmp
2804	utorrent_installer.tmp
2804	utorrent_installer.tmp
2804	utorrent_installer.tmp
2804	utorrent_installer.tmp
2804	utorrent_installer.tmp
2804	utorrent_installer.tmp
2804	utorrent_installer.tmp
2804	utorrent_installer.tmp
2804	utorrent_installer.tmp
2920	updater.exe
2920	updater.exe
3388	powershell.exe
3388	powershell.exe
2920	updater.exe
2920	updater.exe
2920	updater.exe
2920	updater.exe
2920	updater.exe
2920	updater.exe
1732	conhost.exe
1732	conhost.exe
5100	powershell.exe
5100	powershell.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
4456	powershell.exe
4456	powershell.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
1732	conhost.exe
3368	saBSI.exe
3368	saBSI.exe
3368	saBSI.exe
3368	saBSI.exe
3368	saBSI.exe
3368	saBSI.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1520	uTorrent.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4192	msedgewebview2.exe
4192	msedgewebview2.exe
4192	msedgewebview2.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	5100	powershell.exe
Token: SeManageVolumePrivilege	1052	utorrent.exe
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeDebugPrivilege	3064	component0.exe
Token: SeDebugPrivilege	1816	RAVEndPointProtection-installer.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeShutdownPrivilege	1816	RAVEndPointProtection-installer.exe
Token: SeCreatePagefilePrivilege	1816	RAVEndPointProtection-installer.exe
Token: SeManageVolumePrivilege	1520	uTorrent.exe
Token: SeDebugPrivilege	5508	powershell.exe
Token: SeDebugPrivilege	6392	powershell.exe
Token: SeDebugPrivilege	5304	powershell.exe
Token: SeDebugPrivilege	6700	powershell.exe
Token: SeDebugPrivilege	4972	powershell.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
2804	utorrent_installer.tmp
1520	uTorrent.exe
1520	uTorrent.exe
1520	uTorrent.exe
4192	msedgewebview2.exe
4192	msedgewebview2.exe
4192	msedgewebview2.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
1520	uTorrent.exe
1520	uTorrent.exe
1520	uTorrent.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 1972	3364	utorrent(2).exe	79
PID 3364 wrote to memory of 1972	3364	utorrent(2).exe	79
PID 3364 wrote to memory of 5044	3364	utorrent(2).exe	91
PID 3364 wrote to memory of 5044	3364	utorrent(2).exe	91
PID 3364 wrote to memory of 5044	3364	utorrent(2).exe	91
PID 5044 wrote to memory of 2804	5044	utorrent_installer.exe	93
PID 5044 wrote to memory of 2804	5044	utorrent_installer.exe	93
PID 5044 wrote to memory of 2804	5044	utorrent_installer.exe	93
PID 2920 wrote to memory of 1732	2920	updater.exe	98
PID 2804 wrote to memory of 2516	2804	utorrent_installer.tmp	106
PID 2804 wrote to memory of 2516	2804	utorrent_installer.tmp	106
PID 2804 wrote to memory of 2516	2804	utorrent_installer.tmp	106
PID 2516 wrote to memory of 1052	2516	uTorrent.exe	107
PID 2516 wrote to memory of 1052	2516	uTorrent.exe	107
PID 2516 wrote to memory of 1052	2516	uTorrent.exe	107
PID 2804 wrote to memory of 3064	2804	utorrent_installer.tmp	116
PID 2804 wrote to memory of 3064	2804	utorrent_installer.tmp	116
PID 2804 wrote to memory of 3368	2804	utorrent_installer.tmp	117
PID 2804 wrote to memory of 3368	2804	utorrent_installer.tmp	117
PID 2804 wrote to memory of 3368	2804	utorrent_installer.tmp	117
PID 2804 wrote to memory of 1832	2804	utorrent_installer.tmp	118
PID 2804 wrote to memory of 1832	2804	utorrent_installer.tmp	118
PID 2804 wrote to memory of 1832	2804	utorrent_installer.tmp	118
PID 1832 wrote to memory of 1836	1832	OperaSetup.exe	119
PID 1832 wrote to memory of 1836	1832	OperaSetup.exe	119
PID 1832 wrote to memory of 1836	1832	OperaSetup.exe	119
PID 1832 wrote to memory of 5088	1832	OperaSetup.exe	120
PID 1832 wrote to memory of 5088	1832	OperaSetup.exe	120
PID 1832 wrote to memory of 5088	1832	OperaSetup.exe	120
PID 3064 wrote to memory of 1340	3064	component0.exe	121
PID 3064 wrote to memory of 1340	3064	component0.exe	121
PID 3064 wrote to memory of 1340	3064	component0.exe	121
PID 1832 wrote to memory of 4124	1832	OperaSetup.exe	122
PID 1832 wrote to memory of 4124	1832	OperaSetup.exe	122
PID 1832 wrote to memory of 4124	1832	OperaSetup.exe	122
PID 4124 wrote to memory of 1668	4124	OperaSetup.exe	123
PID 4124 wrote to memory of 1668	4124	OperaSetup.exe	123
PID 4124 wrote to memory of 1668	4124	OperaSetup.exe	123
PID 1340 wrote to memory of 1816	1340	2xoja4fh.exe	124
PID 1340 wrote to memory of 1816	1340	2xoja4fh.exe	124
PID 1816 wrote to memory of 4680	1816	RAVEndPointProtection-installer.exe	144
PID 1816 wrote to memory of 4680	1816	RAVEndPointProtection-installer.exe	144
PID 2804 wrote to memory of 1520	2804	utorrent_installer.tmp	131
PID 2804 wrote to memory of 1520	2804	utorrent_installer.tmp	131
PID 2804 wrote to memory of 1520	2804	utorrent_installer.tmp	131
PID 1520 wrote to memory of 2020	1520	uTorrent.exe	134
PID 1520 wrote to memory of 2020	1520	uTorrent.exe	134
PID 1520 wrote to memory of 2020	1520	uTorrent.exe	134
PID 1520 wrote to memory of 4584	1520	uTorrent.exe	137
PID 1520 wrote to memory of 4584	1520	uTorrent.exe	137
PID 1520 wrote to memory of 4584	1520	uTorrent.exe	137
PID 2020 wrote to memory of 2368	2020	utorrentie.exe	138
PID 2020 wrote to memory of 2368	2020	utorrentie.exe	138
PID 2368 wrote to memory of 3768	2368	msedgewebview2.exe	139
PID 2368 wrote to memory of 3768	2368	msedgewebview2.exe	139
PID 1520 wrote to memory of 1416	1520	uTorrent.exe	140
PID 1520 wrote to memory of 1416	1520	uTorrent.exe	140
PID 1520 wrote to memory of 1416	1520	uTorrent.exe	140
PID 4584 wrote to memory of 4192	4584	utorrentie.exe	141
PID 4584 wrote to memory of 4192	4584	utorrentie.exe	141
PID 4192 wrote to memory of 3724	4192	msedgewebview2.exe	142
PID 4192 wrote to memory of 3724	4192	msedgewebview2.exe	142
PID 1416 wrote to memory of 3568	1416	utorrentie.exe	143
PID 1416 wrote to memory of 3568	1416	utorrentie.exe	143

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3336
- C:\Users\Admin\AppData\Local\Temp\utorrent(2).exe
  "C:\Users\Admin\AppData\Local\Temp\utorrent(2).exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3364
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\utorrent.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\utorrent.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1972
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\utorrent_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\utorrent_installer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Users\Admin\AppData\Local\Temp\is-4DED7.tmp\utorrent_installer.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-4DED7.tmp\utorrent_installer.tmp" /SL5="$9022E,874637,815104,C:\Users\Admin\AppData\Local\Temp\RarSFX0\utorrent_installer.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks for any installed AV software in registry
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Users\Admin\AppData\Local\Temp\is-2DB1D.tmp\uTorrent.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-2DB1D.tmp\uTorrent.exe" /S /FORCEINSTALL 1110010101111110
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2516
      - C:\Users\Admin\AppData\Local\Temp\nsmE38B.tmp\utorrent.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsmE38B.tmp\utorrent.exe" /S /FORCEINSTALL 1110010101111110
        6⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
    - - C:\Users\Admin\AppData\Local\Temp\is-2DB1D.tmp\component0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-2DB1D.tmp\component0.exe" -ip:"dui=981cd638-ed7f-49c8-9279-8adbf5136872&dit=20240506165138&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=707e&a=100&b=&se=true" -vp:"dui=981cd638-ed7f-49c8-9279-8adbf5136872&dit=20240506165138&oc=ZB_RAV_Cross_Tri_NCB&p=707e&a=100&oip=26&ptl=7&dta=true" -dp:"dui=981cd638-ed7f-49c8-9279-8adbf5136872&dit=20240506165138&oc=ZB_RAV_Cross_Tri_NCB&p=707e&a=100" -i -v -d -se=true
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3064
      - C:\Users\Admin\AppData\Local\Temp\2xoja4fh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2xoja4fh.exe" /silent
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\nswFBA8.tmp\RAVEndPointProtection-installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nswFBA8.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\2xoja4fh.exe" /silent
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
        
        "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
        8⤵
        Executes dropped EXE
        
        PID:4680
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
        8⤵
        
        PID:8956
        
        C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        9⤵
        
        PID:9056
        
        C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        10⤵
        
        PID:5288
        
        C:\Windows\system32\wevtutil.exe
        
        "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
        8⤵
        
        PID:8012
        
        C:\Windows\SYSTEM32\fltmc.exe
        
        "fltmc.exe" load rsKernelEngine
        8⤵
        
        PID:6848
        
        C:\Windows\system32\wevtutil.exe
        
        "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml
        8⤵
        
        PID:7844
        
        C:\Program Files\ReasonLabs\EPP\rsWSC.exe
        
        "C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i -i
        8⤵
        
        PID:6304
    - - C:\Users\Admin\AppData\Local\Temp\is-2DB1D.tmp\component1_extract\saBSI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-2DB1D.tmp\component1_extract\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:3368
      - C:\Users\Admin\AppData\Local\Temp\is-2DB1D.tmp\component1_extract\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-2DB1D.tmp\component1_extract\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:7132
        
        C:\Program Files\McAfee\Temp3591553004\installer.exe
        
        "C:\Program Files\McAfee\Temp3591553004\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
        7⤵
        Executes dropped EXE
        
        PID:5260
        
        C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
        8⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
        9⤵
        
        PID:6076
        
        C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
        8⤵
        
        PID:1048
        
        C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
        8⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
        9⤵
        
        PID:5956
        
        C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"
        8⤵
        
        PID:6880
    - - C:\Users\Admin\AppData\Local\Temp\is-2DB1D.tmp\component2_extract\OperaSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-2DB1D.tmp\component2_extract\OperaSetup.exe" --silent --allusers=0 --otd=utm.medium:apb,utm.source:ais,utm.campaign:opera_new_a
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious use of WriteProcessMemory
        
        PID:1832
      - C:\Users\Admin\AppData\Local\Temp\is-2DB1D.tmp\component2_extract\OperaSetup.exe
        
        C:\Users\Admin\AppData\Local\Temp\is-2DB1D.tmp\component2_extract\OperaSetup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x2bc,0x2c4,0x2c8,0x2c0,0x2cc,0x71cee1d0,0x71cee1dc,0x71cee1e8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1836
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe" --version
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5088
      - C:\Users\Admin\AppData\Local\Temp\is-2DB1D.tmp\component2_extract\OperaSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-2DB1D.tmp\component2_extract\OperaSetup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1832 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240506165210" --session-guid=fa46a110-4d2d-452c-9326-ae1c969659a8 --server-tracking-blob=YjVkZDJlOGFkOTBiZjFmNjI0MDNkMDJhMzdhZTk2MzU1NWNkMTI1ZmZkZjlhYWM3MDg5ODMyZGZhY2E1NDM1YTp7ImNvdW50cnkiOiJJTCIsImVkaXRpb24iOiJjZGYiLCJpbnN0YWxsZXJfbmFtZSI6Ik9wZXJhU2V0dXAuZXhlIiwicHJvZHVjdCI6eyJuYW1lIjoib3BlcmEifSwicXVlcnkiOiIvZWRpdGlvbi9jZGY/dXRtX2NvbnRlbnQ9Y2RmJnV0bV9tZWRpdW09cGIiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMSIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTI0NzU3NzIuMDk1MiIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMjMuMC4wLjAgU2FmYXJpLzUzNy4zNiIsInV0bSI6eyJjYW1wYWlnbiI6Im9wZXJhX25ld19hIiwiY29udGVudCI6ImNkZiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6ImFpcyJ9LCJ1dWlkIjoiNGQ1NTg2MjEtNjlkNy00Nzk0LTk5ZDMtY2NmODEwMjY4YTg3In0= --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=E005000000000000
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\is-2DB1D.tmp\component2_extract\OperaSetup.exe
        
        C:\Users\Admin\AppData\Local\Temp\is-2DB1D.tmp\component2_extract\OperaSetup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2c0,0x70b3e1d0,0x70b3e1dc,0x70b3e1e8
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1668
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202405061652101\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202405061652101\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"
        6⤵
        
        PID:7664
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202405061652101\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202405061652101\assistant\assistant_installer.exe" --version
        6⤵
        
        PID:7640
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202405061652101\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202405061652101\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0xc16038,0xc16044,0xc16050
        7⤵
        
        PID:6920
    - - C:\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe
        
        "C:\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe"
        5⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Adds Run key to start application
        Checks SCSI registry key(s)
        Modifies Internet Explorer settings
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1520
      - C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47082\utorrentie.exe
        
        "C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47082\utorrentie.exe" uTorrent_1520_00C35408_1932362971 µTorrent4823DF041B09 uTorrent ce unp
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=utorrentie.exe --user-data-dir="C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=0 --disable-features=msEnhancedTrackingPreventionEnabled --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --mojo-named-platform-channel-pipe=2020.2848.17218132904399501928
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x80,0x7ffa0dd93cb8,0x7ffa0dd93cc8,0x7ffa0dd93cd8
        8⤵
        
        PID:3768
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1288,901233266913029872,16514097096523297076,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msEnhancedTrackingPreventionEnabled,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView" --webview-exe-name=utorrentie.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:2
        8⤵
        
        PID:420
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1288,901233266913029872,16514097096523297076,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msEnhancedTrackingPreventionEnabled,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView" --webview-exe-name=utorrentie.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=1956 /prefetch:3
        8⤵
        
        PID:2488
      - C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47082\utorrentie.exe
        
        "C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47082\utorrentie.exe" uTorrent_1520_03C72640_558224451 µTorrent4823DF041B09 uTorrent ce unp
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=utorrentie.exe --user-data-dir="C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=0 --disable-features=msEnhancedTrackingPreventionEnabled --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --mojo-named-platform-channel-pipe=4584.2944.10747001204948474720
        7⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x1b4,0x7ffa0dd93cb8,0x7ffa0dd93cc8,0x7ffa0dd93cd8
        8⤵
        
        PID:3724
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1860,4102331092825376642,3332566017904095550,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msEnhancedTrackingPreventionEnabled,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView" --webview-exe-name=utorrentie.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
        8⤵
        
        PID:2468
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,4102331092825376642,3332566017904095550,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msEnhancedTrackingPreventionEnabled,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView" --webview-exe-name=utorrentie.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=1924 /prefetch:3
        8⤵
        
        PID:2800
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,4102331092825376642,3332566017904095550,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msEnhancedTrackingPreventionEnabled,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView" --webview-exe-name=utorrentie.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=2416 /prefetch:8
        8⤵
        
        PID:4888
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1860,4102331092825376642,3332566017904095550,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msEnhancedTrackingPreventionEnabled,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView" --webview-exe-name=utorrentie.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:1
        8⤵
        
        PID:5380
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1860,4102331092825376642,3332566017904095550,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msEnhancedTrackingPreventionEnabled,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView" --webview-exe-name=utorrentie.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
        8⤵
        
        PID:6000
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1860,4102331092825376642,3332566017904095550,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msEnhancedTrackingPreventionEnabled,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView" --webview-exe-name=utorrentie.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
        8⤵
        
        PID:5952
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,4102331092825376642,3332566017904095550,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msEnhancedTrackingPreventionEnabled,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView" --webview-exe-name=utorrentie.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=4428 /prefetch:8
        8⤵
        
        PID:6788
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=1860,4102331092825376642,3332566017904095550,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msEnhancedTrackingPreventionEnabled,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=entity_extraction --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView" --webview-exe-name=utorrentie.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=5176 /prefetch:8
        8⤵
        
        PID:6296
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1860,4102331092825376642,3332566017904095550,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msEnhancedTrackingPreventionEnabled,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView" --webview-exe-name=utorrentie.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
        8⤵
        
        PID:5656
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1860,4102331092825376642,3332566017904095550,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msEnhancedTrackingPreventionEnabled,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView" --webview-exe-name=utorrentie.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
        8⤵
        
        PID:6936
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1860,4102331092825376642,3332566017904095550,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msEnhancedTrackingPreventionEnabled,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView" --webview-exe-name=utorrentie.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2544 /prefetch:1
        8⤵
        
        PID:7404
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1860,4102331092825376642,3332566017904095550,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msEnhancedTrackingPreventionEnabled,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=audio --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView" --webview-exe-name=utorrentie.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=3336 /prefetch:8
        8⤵
        
        PID:3916
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1860,4102331092825376642,3332566017904095550,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msEnhancedTrackingPreventionEnabled,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView" --webview-exe-name=utorrentie.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
        8⤵
        
        PID:8412
      - C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47082\utorrentie.exe
        
        "C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47082\utorrentie.exe" uTorrent_1520_03C734B0_366394957 µTorrent4823DF041B09 uTorrent ce unp
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=utorrentie.exe --user-data-dir="C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=0 --disable-features=msEnhancedTrackingPreventionEnabled --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --mojo-named-platform-channel-pipe=1416.4260.4382683437387749079
        7⤵
        
        PID:3568
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x1b8,0x7ffa0dd93cb8,0x7ffa0dd93cc8,0x7ffa0dd93cd8
        8⤵
        
        PID:4680
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1808,491808125205534096,3809606342463465582,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msEnhancedTrackingPreventionEnabled,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView" --webview-exe-name=utorrentie.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1820 /prefetch:2
        8⤵
        
        PID:6016
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1808,491808125205534096,3809606342463465582,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msEnhancedTrackingPreventionEnabled,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView" --webview-exe-name=utorrentie.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=2092 /prefetch:3
        8⤵
        
        PID:6028
      - C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47082\utorrentie.exe
        
        "C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47082\utorrentie.exe" uTorrent_1520_03C728A8_764330080 µTorrent4823DF041B09 uTorrent ce unp
        6⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=utorrentie.exe --user-data-dir="C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=0 --disable-features=msEnhancedTrackingPreventionEnabled --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --mojo-named-platform-channel-pipe=1536.1804.6227723948725992074
        7⤵
        
        PID:5152
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x1b8,0x7ffa0dd93cb8,0x7ffa0dd93cc8,0x7ffa0dd93cd8
        8⤵
        
        PID:5360
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1780,2125691630491842622,5825132329751712654,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msEnhancedTrackingPreventionEnabled,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView" --webview-exe-name=utorrentie.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1796 /prefetch:2
        8⤵
        
        PID:5724
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1780,2125691630491842622,5825132329751712654,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msEnhancedTrackingPreventionEnabled,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\LocalLow\uTorrent.WebView2\EBWebView" --webview-exe-name=utorrentie.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=1936 /prefetch:3
        8⤵
        
        PID:5708
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://utorrent.com/prodnews?v=3%2e6%2e0%2e1%2e47082&pv=0.0.0.0.0
        6⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa0dd93cb8,0x7ffa0dd93cc8,0x7ffa0dd93cd8
        7⤵
        
        PID:5728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,10981762916038063190,856642504334649425,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2032 /prefetch:2
        7⤵
        
        PID:5980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,10981762916038063190,856642504334649425,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3
        7⤵
        
        PID:5632
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,10981762916038063190,856642504334649425,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8
        7⤵
        
        PID:5308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,10981762916038063190,856642504334649425,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
        7⤵
        
        PID:6396
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,10981762916038063190,856642504334649425,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
        7⤵
        
        PID:6412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,10981762916038063190,856642504334649425,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
        7⤵
        
        PID:5248
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,10981762916038063190,856642504334649425,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:1
        7⤵
        
        PID:6832
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,10981762916038063190,856642504334649425,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
        7⤵
        
        PID:6072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,10981762916038063190,856642504334649425,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1
        7⤵
        
        PID:6812
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,10981762916038063190,856642504334649425,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2980 /prefetch:1
        7⤵
        
        PID:5272
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2024,10981762916038063190,856642504334649425,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
        7⤵
        
        PID:6244
        
        C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,10981762916038063190,856642504334649425,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
        7⤵
        
        PID:6548
      - C:\Users\Admin\AppData\Roaming\uTorrent\helper\helper.exe
        
        "C:\Users\Admin\AppData\Roaming\uTorrent\helper\helper.exe" 16423 --hval X6pTCV54t6vR4Ezm -- -pid 1520 -version 47082
        6⤵
        
        PID:4860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:3856
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\dgxygzexocvv.xml"
  2⤵
  - Creates scheduled task(s)
  PID:4192
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:4072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3388
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\dgxygzexocvv.xml"
  2⤵
  - Creates scheduled task(s)
  PID:4784
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  PID:1732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5100
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\wzlcygfqusfz.xml"
  2⤵
  - Creates scheduled task(s)
  PID:1028
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:5028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4456
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\wzlcygfqusfz.xml"
  2⤵
  - Creates scheduled task(s)
  PID:992
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\wzlcygfqusfz.xml"
  2⤵
  - Creates scheduled task(s)
  PID:3276
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:6392
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\dgxygzexocvv.xml"
  2⤵
  - Creates scheduled task(s)
  PID:6776
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\wzlcygfqusfz.xml"
  2⤵
  - Creates scheduled task(s)
  PID:7108
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:5836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5304
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\wzlcygfqusfz.xml"
  2⤵
  - Creates scheduled task(s)
  PID:6368
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:6700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4972
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\wzlcygfqusfz.xml"
  2⤵
  - Creates scheduled task(s)
  PID:3284
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\dgxygzexocvv.xml"
  2⤵
  - Creates scheduled task(s)
  PID:7328
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:5256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:7300
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\wzlcygfqusfz.xml"
  2⤵
  - Creates scheduled task(s)
  PID:8948
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:9016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6680
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\wzlcygfqusfz.xml"
  2⤵
  - Creates scheduled task(s)
  PID:7172
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:7328
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\wzlcygfqusfz.xml"
  2⤵
  - Creates scheduled task(s)
  PID:7848
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:5536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:8220
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\dgxygzexocvv.xml"
  2⤵
  - Creates scheduled task(s)
  PID:8712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:8660
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\wzlcygfqusfz.xml"
  2⤵
  - Creates scheduled task(s)
  PID:8864
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:8968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:8936
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\wzlcygfqusfz.xml"
  2⤵
  - Creates scheduled task(s)
  PID:6100
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:3324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6784

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2920

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:1268

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
1⤵
PID:3612

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
- Executes dropped EXE
PID:2880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5332

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6404

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:5464

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
PID:7176
- C:\Program Files\McAfee\WebAdvisor\UIHost.exe
  "C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
  2⤵
  PID:3088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
  2⤵
  PID:8728
- C:\Program Files\McAfee\WebAdvisor\updater.exe
  "C:\Program Files\McAfee\WebAdvisor\updater.exe"
  2⤵
  PID:8216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
  2⤵
  PID:8280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
  2⤵
  PID:8436

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:9072

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004EC 0x00000000000004C0
1⤵
PID:2568

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
PID:564

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:9048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Defense Evasion

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery