eb228a9622c7950696e0422694aad00a38db86a9b102a1cbe5481eb935c5dfe1

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\yt-dlp\api-ms-win-crt-conio-l1-1-0.dll	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Controls\is-2FK21.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Controls.2\Imagine\is-PCLHV.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Controls.2\Universal\is-SKDVV.tmp	videodownloader_trial_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\Qt5RemoteObjects.dll	videodownloader_trial_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\api-ms-win-core-string-l1-1-0.dll	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\yt-dlp\is-NTDMS.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Controls\is-RCCG9.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Controls.2\Imagine\is-0M36T.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Controls.2\Universal\is-9VADF.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngine\Controls1Delegates\is-4TEQ0.tmp	videodownloader_trial_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\yt-dlp\api-ms-win-core-datetime-l1-1-0.dll	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\yt-dlp\is-FN5TE.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\is-NF5HI.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtGraphicalEffects\is-93O40.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Controls.2\Fusion\is-SCTFU.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Controls.2\Material\is-1GFCF.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Dialogs\images\is-HA9JQ.tmp	videodownloader_trial_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\yt-dlp\libffi-7.dll	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\yt-dlp\is-3H541.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Controls\is-BE0MS.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Controls\Private\is-EQB38.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Controls\Styles\Base\is-JBH51.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Controls\Styles\Base\is-5IANB.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Controls.2\Material\is-PUIV2.tmp	videodownloader_trial_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\EUinApp.exe	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\is-0V4S8.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Controls.2\is-3NDOQ.tmp	videodownloader_trial_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\yt-dlp\yt-dlp.exe	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\is-G506I.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtGraphicalEffects\is-TDCQG.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Controls.2\Imagine\is-LUE4K.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\is-IOT8L.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\is-NHJDJ.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\yt-dlp\Cryptodome\Hash\is-4LFF8.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\mediaservice\is-TTGDM.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Controls\Private\is-4GG90.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Controls\Styles\Base\is-C5O32.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Controls\Styles\Base\is-33LDI.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Controls.2\Universal\is-UBMLL.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Dialogs\is-A3QP2.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick.2\is-IR7LB.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Controls.2\Imagine\is-TMQD7.tmp	videodownloader_trial_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\Qt\labs\folderlistmodel\qmlfolderlistmodelplugin.dll	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\is-G5UR7.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\qmltooling\is-87HU6.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Controls\Styles\Base\is-LELKB.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Controls.2\Fusion\is-I2CJK.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Controls.2\Fusion\is-M82Q5.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Controls.2\Imagine\is-1S020.tmp	videodownloader_trial_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\styles\qwindowsvistastyle.dll	videodownloader_trial_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\api-ms-win-core-synch-l1-1-0.dll	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\yt-dlp\is-1VVPP.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Controls\Styles\Base\is-2G22S.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Controls.2\Universal\is-48L4V.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Controls\is-M9HTN.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Controls\Private\is-KJOFF.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Extras\is-GP05P.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Controls\Styles\Base\images\is-11MLI.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\Controls\Styles\Desktop\is-8D5SQ.tmp	videodownloader_trial_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtQuick\PrivateWidgets\widgetsplugin.dll	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\is-SHV2L.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\is-HUV7T.tmp	videodownloader_trial_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\is-KIJ48.tmp	videodownloader_trial_easeus.tmp

Executes dropped EXE 60 IoCs

pid	Process
2180	EDownloader.exe
2024	InfoForSetup.exe
2868	InfoForSetup.exe
2880	InfoForSetup.exe
3064	InfoForSetup.exe
2044	AliyunWrapExe.Exe
2000	AliyunWrapExe.Exe
2604	InfoForSetup.exe
3028	InfoForSetup.exe
1984	InfoForSetup.exe
1256	InfoForSetup.exe
1964	InfoForSetup.exe
1428	InfoForSetup.exe
892	InfoForSetup.exe
2188	videodownloader_trial_easeus.exe
2612	videodownloader_trial_easeus.tmp
3068	InfoForSetup.exe
2528	AliyunWrapExe.Exe
1756	InfoForSetup.exe
1528	InfoForSetup.exe
2272	checkUp.exe
2412	InfoForSetup.exe
2764	SetupUE.exe
2736	InfoForSetup.exe
2816	InfoForSetup.exe
684	InfoForSetup.exe
876	sendInstallerUrl.exe
1472	AliyunWrapExe.Exe
916	InfoForSetup.exe
1572	InfoForSetup.exe
904	InfoForSetup.exe
2804	VideoDownloader.exe
2536	InfoForSetup.exe
2996	firebasefetch.exe
3864	QtWebEngineProcess.exe
3912	QtWebEngineProcess.exe
4076	QtWebEngineProcess.exe
1928	QtWebEngineProcess.exe
1864	QtWebEngineProcess.exe
780	QtWebEngineProcess.exe
2612	QtWebEngineProcess.exe
1340	QtWebEngineProcess.exe
3668	QtWebEngineProcess.exe
616	checkTimezone.exe
1036	prepare.exe
1180	versionActivate.exe
920	versionActivate.exe
3100	versionActivate.exe
2200	videodownload.exe
1656	media2mp3.exe
3996	prepare.exe
1116	checkUp.exe
1112	QtWebEngineProcess.exe
3980	QtWebEngineProcess.exe
2980	QtWebEngineProcess.exe
2320	QtWebEngineProcess.exe
3808	UIInnerbuy.exe
1772	versionActivate.exe
2192	QtWebEngineProcess.exe
2632	QtWebEngineProcess.exe

Loads dropped DLL 64 IoCs

pid	Process
2040	videodownloader_trial_Installer_20240530.695504.exe
2180	EDownloader.exe
2024	InfoForSetup.exe
2180	EDownloader.exe
2180	EDownloader.exe
2180	EDownloader.exe
2868	InfoForSetup.exe
2880	InfoForSetup.exe
2868	InfoForSetup.exe
2880	InfoForSetup.exe
3064	InfoForSetup.exe
2044	AliyunWrapExe.Exe
2000	AliyunWrapExe.Exe
2180	EDownloader.exe
2180	EDownloader.exe
2180	EDownloader.exe
3028	InfoForSetup.exe
1984	InfoForSetup.exe
2604	InfoForSetup.exe
2180	EDownloader.exe
1256	InfoForSetup.exe
2180	EDownloader.exe
2180	EDownloader.exe
2180	EDownloader.exe
1964	InfoForSetup.exe
1428	InfoForSetup.exe
892	InfoForSetup.exe
2180	EDownloader.exe
2188	videodownloader_trial_easeus.exe
2612	videodownloader_trial_easeus.tmp
2612	videodownloader_trial_easeus.tmp
2612	videodownloader_trial_easeus.tmp
2612	videodownloader_trial_easeus.tmp
2612	videodownloader_trial_easeus.tmp
3068	InfoForSetup.exe
3068	InfoForSetup.exe
2528	AliyunWrapExe.Exe
2612	videodownloader_trial_easeus.tmp
1756	InfoForSetup.exe
2612	videodownloader_trial_easeus.tmp
1528	InfoForSetup.exe
2612	videodownloader_trial_easeus.tmp
2612	videodownloader_trial_easeus.tmp
2612	videodownloader_trial_easeus.tmp
2612	videodownloader_trial_easeus.tmp
2612	videodownloader_trial_easeus.tmp
2612	videodownloader_trial_easeus.tmp
2412	InfoForSetup.exe
2612	videodownloader_trial_easeus.tmp
2612	videodownloader_trial_easeus.tmp
2736	InfoForSetup.exe
2764	SetupUE.exe
2764	SetupUE.exe
2764	SetupUE.exe
2764	SetupUE.exe
2816	InfoForSetup.exe
2816	InfoForSetup.exe
2816	InfoForSetup.exe
2764	SetupUE.exe
2612	videodownloader_trial_easeus.tmp
684	InfoForSetup.exe
684	InfoForSetup.exe
684	InfoForSetup.exe
876	sendInstallerUrl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	videodownloader_trial_easeus.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	videodownloader_trial_easeus.tmp

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
3020	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 45 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4C1757C1-1ECA-11EF-A5B4-4205ACB4EED4} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000a51fe5809f533aa11646c86a5b2dfcc0feb8ef942c2a629af7615552f4b1220d000000000e8000000002000020000000089456a5a6dce5b7c4ee6e0a39891ad2dcd52a91917a7445bdf849ae91108099200000009f8ed751b34d794fc2012fa4147591228f7bf6a457cf746077d95b8b233dbc7540000000360e3ede9df68cff1c7bcff5204659e4de214c77e7107b6366dc608168162d3bfd98672e3964fda76d3679a6424c3562be195df456f993f4ca84d14d63ea6e13	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\update.easeus.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "41"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000b092e84eeeed2eeaf54d72780785ba93e75f29c67e9bfb4aff5b0380ce5676ca000000000e80000000020000200000007ecb655847676cfe97fb7f164340388141c72d0e46b0f8e75c9777c9f77ef39a90000000e88f16bf29a1080d67ad5b2a1d32609e43b5e50386198c36998414e266c294e93c9887730ffaaa2f80c04cd9e63f7bea87004ef486aa114d2811722918fb946d13d87c9260fe36b00e999167a99fb3bb9d7494665e95be9bf80b37491ee297cdece18b3124554edc0c940201d3c916bc6bed432a2f8beca3cb086edb9b5a85e0a0f650afb569e68d949fb6f76b7d450040000000fa69155d589e88fd194f337753b122900a01ec64eeadf909cdfe15e6c7d509bd4b2dd4e02aa5e263354d358285f9e7f4cf9800eaf9df12bb7916caaef8520a1f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\easeus.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\easeus.com\Total = "41"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0256922d7b2da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	EDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\easeus.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\update.easeus.com\ = "41"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Modifies system certificate store 2 TTPs 14 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	QtWebEngineProcess.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	QtWebEngineProcess.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	prepare.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	VideoDownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	QtWebEngineProcess.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	versionActivate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	VideoDownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	QtWebEngineProcess.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	QtWebEngineProcess.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	QtWebEngineProcess.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	prepare.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	versionActivate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	QtWebEngineProcess.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	QtWebEngineProcess.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2804	VideoDownloader.exe
3808	UIInnerbuy.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2612	videodownloader_trial_easeus.tmp
2612	videodownloader_trial_easeus.tmp
2804	VideoDownloader.exe
2804	VideoDownloader.exe
3808	UIInnerbuy.exe
3988	chrome.exe
3988	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2804	VideoDownloader.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2612	videodownloader_trial_easeus.tmp
2180	EDownloader.exe
2496	iexplore.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2180	EDownloader.exe
2180	EDownloader.exe
2496	iexplore.exe
2496	iexplore.exe
2804	VideoDownloader.exe
2560	IEXPLORE.EXE
2560	IEXPLORE.EXE
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe
2804	VideoDownloader.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2180	2040	videodownloader_trial_Installer_20240530.695504.exe	28
PID 2040 wrote to memory of 2180	2040	videodownloader_trial_Installer_20240530.695504.exe	28
PID 2040 wrote to memory of 2180	2040	videodownloader_trial_Installer_20240530.695504.exe	28
PID 2040 wrote to memory of 2180	2040	videodownloader_trial_Installer_20240530.695504.exe	28
PID 2180 wrote to memory of 2024	2180	EDownloader.exe	29
PID 2180 wrote to memory of 2024	2180	EDownloader.exe	29
PID 2180 wrote to memory of 2024	2180	EDownloader.exe	29
PID 2180 wrote to memory of 2024	2180	EDownloader.exe	29
PID 2180 wrote to memory of 2024	2180	EDownloader.exe	29
PID 2180 wrote to memory of 2024	2180	EDownloader.exe	29
PID 2180 wrote to memory of 2024	2180	EDownloader.exe	29
PID 2180 wrote to memory of 2868	2180	EDownloader.exe	30
PID 2180 wrote to memory of 2868	2180	EDownloader.exe	30
PID 2180 wrote to memory of 2868	2180	EDownloader.exe	30
PID 2180 wrote to memory of 2868	2180	EDownloader.exe	30
PID 2180 wrote to memory of 2868	2180	EDownloader.exe	30
PID 2180 wrote to memory of 2868	2180	EDownloader.exe	30
PID 2180 wrote to memory of 2868	2180	EDownloader.exe	30
PID 2180 wrote to memory of 2880	2180	EDownloader.exe	31
PID 2180 wrote to memory of 2880	2180	EDownloader.exe	31
PID 2180 wrote to memory of 2880	2180	EDownloader.exe	31
PID 2180 wrote to memory of 2880	2180	EDownloader.exe	31
PID 2180 wrote to memory of 2880	2180	EDownloader.exe	31
PID 2180 wrote to memory of 2880	2180	EDownloader.exe	31
PID 2180 wrote to memory of 2880	2180	EDownloader.exe	31
PID 2180 wrote to memory of 3064	2180	EDownloader.exe	32
PID 2180 wrote to memory of 3064	2180	EDownloader.exe	32
PID 2180 wrote to memory of 3064	2180	EDownloader.exe	32
PID 2180 wrote to memory of 3064	2180	EDownloader.exe	32
PID 2180 wrote to memory of 3064	2180	EDownloader.exe	32
PID 2180 wrote to memory of 3064	2180	EDownloader.exe	32
PID 2180 wrote to memory of 3064	2180	EDownloader.exe	32
PID 2868 wrote to memory of 2000	2868	InfoForSetup.exe	33
PID 2868 wrote to memory of 2000	2868	InfoForSetup.exe	33
PID 2868 wrote to memory of 2000	2868	InfoForSetup.exe	33
PID 2868 wrote to memory of 2000	2868	InfoForSetup.exe	33
PID 2880 wrote to memory of 2044	2880	InfoForSetup.exe	34
PID 2880 wrote to memory of 2044	2880	InfoForSetup.exe	34
PID 2880 wrote to memory of 2044	2880	InfoForSetup.exe	34
PID 2880 wrote to memory of 2044	2880	InfoForSetup.exe	34
PID 2180 wrote to memory of 2604	2180	EDownloader.exe	36
PID 2180 wrote to memory of 2604	2180	EDownloader.exe	36
PID 2180 wrote to memory of 2604	2180	EDownloader.exe	36
PID 2180 wrote to memory of 2604	2180	EDownloader.exe	36
PID 2180 wrote to memory of 2604	2180	EDownloader.exe	36
PID 2180 wrote to memory of 2604	2180	EDownloader.exe	36
PID 2180 wrote to memory of 2604	2180	EDownloader.exe	36
PID 2180 wrote to memory of 3028	2180	EDownloader.exe	37
PID 2180 wrote to memory of 3028	2180	EDownloader.exe	37
PID 2180 wrote to memory of 3028	2180	EDownloader.exe	37
PID 2180 wrote to memory of 3028	2180	EDownloader.exe	37
PID 2180 wrote to memory of 3028	2180	EDownloader.exe	37
PID 2180 wrote to memory of 3028	2180	EDownloader.exe	37
PID 2180 wrote to memory of 3028	2180	EDownloader.exe	37
PID 2180 wrote to memory of 1984	2180	EDownloader.exe	38
PID 2180 wrote to memory of 1984	2180	EDownloader.exe	38
PID 2180 wrote to memory of 1984	2180	EDownloader.exe	38
PID 2180 wrote to memory of 1984	2180	EDownloader.exe	38
PID 2180 wrote to memory of 1984	2180	EDownloader.exe	38
PID 2180 wrote to memory of 1984	2180	EDownloader.exe	38
PID 2180 wrote to memory of 1984	2180	EDownloader.exe	38
PID 2180 wrote to memory of 1256	2180	EDownloader.exe	39
PID 2180 wrote to memory of 1256	2180	EDownloader.exe	39
PID 2180 wrote to memory of 1256	2180	EDownloader.exe	39

C:\Users\Admin\AppData\Local\Temp\videodownloader_trial_Installer_20240530.695504.exe
"C:\Users\Admin\AppData\Local\Temp\videodownloader_trial_Installer_20240530.695504.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\17trial\EDownloader.exe
  "C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\17trial\EDownloader.exe" EXEDIR=C:\Users\Admin\AppData\Local\Temp ||| EXENAME=videodownloader_trial_Installer_20240530.695504.exe ||| DOWNLOAD_VERSION=trial ||| RELEASE_TIME=2024-03-20_10_06_43 ||| PRODUCT_VERSION=1.0.0 ||| INSTALL_TYPE=0
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\17trial\aliyun\InfoForSetup.exe
    /Uid "S-1-5-21-3691908287-3775019229-3534252667-1000"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2024
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\17trial\aliyun\InfoForSetup.exe
    /SendInfo Window "Home_Installer" Activity "Result_Download_Configurefile" Attribute "{\"CDN\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/\",\"Elapsed\":\"3\",\"Errorinfo\":\"0\",\"Result\":\"Success\"}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\17trial\aliyun\AliyunWrapExe.Exe
      C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\17trial\aliyun\AliyunWrapExe.Exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2000
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\17trial\aliyun\InfoForSetup.exe
    /SendInfo Window "Install" Activity "Info_Userinfo" Attribute "{\"Country\":\"United States\",\"Language\":\"English\",\"OS\":\"Microsoft Windows 7\",\"Timezone\":\"GMT-00:00\",\"UE\":\"on\",\"Version\":\"trial\",\"Version_Num\":\"2.4.2\"}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\17trial\aliyun\AliyunWrapExe.Exe
      C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\17trial\aliyun\AliyunWrapExe.Exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2044
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\17trial\aliyun\InfoForSetup.exe
    /SendInfo Window "DownloadInstall_Page" Activity "Info_Finish" Attribute "{\"Country\":\"United States\",\"Language\":\"English\",\"OS\":\"Microsoft Windows 7\",\"Releasetime\":\"2024-03-20_10_06_43\",\"Testid\":\"\",\"Timezone\":\"GMT-00:00\",\"Version\":\"trial\",\"Version_Num\":\"2.4.2\"}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3064
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\17trial\aliyun\InfoForSetup.exe
    /SendInfo Window "DownloadInstall_Page" Activity "Click_Installnow"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2604
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\17trial\aliyun\InfoForSetup.exe
    /SendInfo Window "Home_Installer" Activity "Click_Install" Attribute "{\"Install_Path\":\"C:/Program Files (x86)/EaseUS/EaseUS VideoDownloader\",\"Language\":\"English\",\"Os\":\"Microsoft Windows 7\",\"Pageid\":\"695504\",\"Timezone\":\"GMT-00:00\",\"Version\":\"trial\",\"Version_Num\":\"2.4.2\"}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3028
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\17trial\aliyun\InfoForSetup.exe
    /SendInfo Window "DownloadInstall_Page" Activity "Info_Start_Download_Program" Attribute "{\"Pageid\":\"695504\"}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1984
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\17trial\aliyun\InfoForSetup.exe
    /SendInfo Window "Home_Installer" Activity "Result_Download_Program" Attribute "{\"Average_Networkspeed\":\"8.78MB\",\"Cdn\":\"https://d1.easeus.com/videodownloader/VideoDownloader2.4.2_trial.exe\",\"Elapsedtime\":\"14\",\"Errorinfo\":\"0\",\"Result\":\"Success\"}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1256
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\17trial\aliyun\InfoForSetup.exe
    /SendInfo Window "DownloadInstall_Page" Activity "Info_Downloadcomplete"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1964
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\17trial\aliyun\InfoForSetup.exe
    /SendInfo Window "Home_Installer" Activity "Result_Download_Program" Attribute "{\"Result\":\"Success\"}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:892
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\17trial\aliyun\InfoForSetup.exe
    /SendInfo Window "DownloadInstall_Page" Activity "Info_Start_Install_Program"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1428
- - C:\Users\Admin\AppData\Local\Temp\videodownloader_trial_easeus.exe
    /verysilent /DIR="C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader" /LANG=English GUID=S-1-5-21-3691908287-3775019229-3534252667-1000 xurlID=695504
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2188
  - - C:\Users\Admin\AppData\Local\Temp\is-R165O.tmp\videodownloader_trial_easeus.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-R165O.tmp\videodownloader_trial_easeus.tmp" /SL5="$401F0,128347824,198656,C:\Users\Admin\AppData\Local\Temp\videodownloader_trial_easeus.exe" /verysilent /DIR="C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader" /LANG=English GUID=S-1-5-21-3691908287-3775019229-3534252667-1000 xurlID=695504
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:2612
    - - C:\Users\Admin\AppData\Local\Temp\is-CR0ES.tmp\InfoForSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-CR0ES.tmp\InfoForSetup.exe" /SendInfo "Window" "Licenseagreement" "Activity" "Click_Next"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3068
      - C:\Users\Admin\AppData\Local\Temp\is-CR0ES.tmp\AliyunWrapExe.Exe
        
        C:\Users\Admin\AppData\Local\Temp\is-CR0ES.tmp\AliyunWrapExe.Exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2528
    - - C:\Users\Admin\AppData\Local\Temp\is-CR0ES.tmp\InfoForSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-CR0ES.tmp\InfoForSetup.exe" /SendInfo "Window" "Selectdestinationlocation" "Activity" "Click_Next" "Attribute" "{\"Path\":\"C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\"}"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1756
    - - C:\Users\Admin\AppData\Local\Temp\is-CR0ES.tmp\InfoForSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-CR0ES.tmp\InfoForSetup.exe" /SendInfo "Window" "Selectadditionaltasks" "Activity" "Click_Next" "Attribute" "{\"Test_id\":\"2.4.2trial_20240521\",\"Version\":\"trial\",\"Num\":\"2.4.2\",\"Language\":\"English\",\"Create\":\"Check\"}"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1528
    - - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\checkUp.exe
        
        "C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\checkUp.exe" --createUpdateUIEnv
        5⤵
        Executes dropped EXE
        
        PID:2272
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\openUrlCreate.bat""
        5⤵
        
        PID:2780
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /F /TN "OpenUrlEaseUSVideoDownloader" /TR "\"C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\openUrl.exe\" /skipuac" /SC ONSTART /RL HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:3020
    - - C:\Users\Admin\AppData\Local\Temp\is-CR0ES.tmp\InfoForSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-CR0ES.tmp\InfoForSetup.exe" /SendInfo "Window" "Finish" "Activity" "Click_Finish" "Attribute" "{\"Participate\":\"Check\",\"Url\":\"https://update.easeus.com/thankyou/install-video-downloader.html\",\"Launch\":\"UnCheck\"}"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2412
    - - C:\ProgramData\VideoDownloader\aliyun\SetupUE.exe
        
        "C:\ProgramData\VideoDownloader\aliyun\SetupUE.exe" /Enable "{\"Language\":\"English\",\"pageID\":\"1-695504\",\"Version\":\"trial\",\"Version_Num\":\"2.4.2\",\"Testid\":\"2.4.2trial_20240521\",\"Releasetime\":\"20240521\",\"UE\":\"On\"}"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2764
      - C:\ProgramData\VideoDownloader\aliyun\InfoForSetup.exe
        
        "C:\ProgramData\VideoDownloader\aliyun\InfoForSetup.exe" /Enable
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2816
      - C:\ProgramData\VideoDownloader\aliyun\InfoForSetup.exe
        
        "C:\ProgramData\VideoDownloader\aliyun\InfoForSetup.exe" /SendInfo "Window" "Finish" "Activity" "Info_Finish" "Attribute" "{\"Language\":\"English\",\"pageID\":\"1-695504\",\"Version\":\"trial\",\"Version_Num\":\"2.4.2\",\"Testid\":\"2.4.2trial_20240521\",\"Releasetime\":\"20240521\",\"UE\":\"On\",\"Country\":\"United States\",\"Timezone\":\"GMT-00:00(Coordinated Universal Time)\",\"OS\":\"Microsoft Windows 7 64-bit Service Pack 1 (6.1.7601.1.256)\"}"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:684
        
        C:\ProgramData\VideoDownloader\aliyun\AliyunWrapExe.Exe
        
        C:\ProgramData\VideoDownloader\aliyun\AliyunWrapExe.Exe
        7⤵
        Executes dropped EXE
        
        PID:1472
    - - C:\Users\Admin\AppData\Local\Temp\is-CR0ES.tmp\InfoForSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-CR0ES.tmp\InfoForSetup.exe" /SendInfo "Window" "EvdSetup" "Activity" "Info_Userinfo" "Attribute" ""{\"Language\":\"English\",\"Version\":\"trial\",\"Version_Num\":\"2.4.2\",\"Country\":\""United States"\",\"DPI\":\""1280*720"\",\"Display\":\""15.7"\",\"Timezone\":\""GMT-00:00(Coordinated Universal Time)"\",\"OS\":\""Microsoft Windows 7 (6.1.7601)"\",\"Pageid\":\"1-695504\",\"UE\":\"On\"}""
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2736
    - - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\sendInstallerUrl.exe
        
        "C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\sendInstallerUrl.exe" https://update.easeus.com/thankyou/install-video-downloader.html
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:876
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\17trial\aliyun\InfoForSetup.exe
    /SendInfo Window "DownloadInstall_Page" Activity "Info_Installationcomplete" Attribute "{\"Country\":\"United States\",\"Language\":\"English\",\"OS\":\"Microsoft Windows 7\",\"Timezone\":\"GMT-00:00\",\"Version\":\"trial\",\"Version_Num\":\"2.4.2\"}"
    3⤵
    - Executes dropped EXE
    PID:916
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\17trial\aliyun\InfoForSetup.exe
    /SendInfo Window "DownloadInstall_Page" Activity "Result_iTunesInstall" Attribute "{\"Result\":\"fail\"}"
    3⤵
    - Executes dropped EXE
    PID:904
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\17trial\aliyun\InfoForSetup.exe
    /SendInfo Window "Install_Finish" Activity "Result_Install_Program" Attribute "{\"Country\":\"United States\",\"Downloadfrom\":\"https://d1.easeus.com/videodownloader/VideoDownloader2.4.2_trial.exe\",\"Elapsedtime\":\"18\",\"Language\":\"English\",\"OS\":\"Microsoft Windows 7\",\"Pageid\":\"695504\",\"Result\":\"result_success\",\"Timezone\":\"GMT-00:00\",\"Version\":\"trial\",\"Version_Num\":\"2.4.2\"}"
    3⤵
    - Executes dropped EXE
    PID:1572
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://update.easeus.com/thankyou/install-video-downloader.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2496
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2496 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2560
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\17trial\aliyun\InfoForSetup.exe
    /SendInfo Window "Install_Finish" Activity "Click_Startnow"
    3⤵
    - Executes dropped EXE
    PID:2536
- - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\VideoDownloader.exe
    "C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\VideoDownloader.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2804
  - - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\firebasefetch.exe
      "C:/Program Files (x86)/EaseUS/EaseUS VideoDownloader/bin/firebasefetch.exe"
      4⤵
      Executes dropped EXE
      PID:2996
  - - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngineProcess.exe
      "C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngineProcess.exe" --type=utility --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --lang=en-US --service-sandbox-type=network --application-name=VideoDownloader --webengine-schemes=qrc:sLV --mojo-platform-channel-handle=2008 /prefetch:8
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:3864
  - - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngineProcess.exe
      "C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngineProcess.exe" --type=renderer --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --disable-gpu-compositing --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=2 --mojo-platform-channel-handle=2040 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:3912
  - - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngineProcess.exe
      "C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngineProcess.exe" --type=renderer --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --disable-gpu-compositing --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2052 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:4076
  - - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngineProcess.exe
      "C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngineProcess.exe" --type=renderer --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --disable-gpu-compositing --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2060 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:780
  - - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngineProcess.exe
      "C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngineProcess.exe" --type=renderer --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --disable-gpu-compositing --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2064 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:1928
  - - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngineProcess.exe
      "C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngineProcess.exe" --type=renderer --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --disable-gpu-compositing --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2072 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:2612
  - - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngineProcess.exe
      "C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngineProcess.exe" --type=renderer --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --disable-gpu-compositing --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2080 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:1864
  - - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngineProcess.exe
      "C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngineProcess.exe" --type=renderer --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --disable-gpu-compositing --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2092 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:1340
  - - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngineProcess.exe
      "C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngineProcess.exe" --type=renderer --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --disable-gpu-compositing --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3200 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:3668
  - - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\prepare.exe
      prepare check
      4⤵
      Executes dropped EXE
      PID:1036
  - - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\checkTimezone.exe
      checkTimezone
      4⤵
      Executes dropped EXE
      PID:616
  - - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\versionActivate.exe
      versionActivate --localAbout
      4⤵
      Executes dropped EXE
      PID:1180
  - - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\versionActivate.exe
      versionActivate --hardcode
      4⤵
      Writes to the Master Boot Record (MBR)
      Executes dropped EXE
      PID:920
  - - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\versionActivate.exe
      versionActivate --syncFromServer --uid S-1-5-21-3691908287-3775019229-3534252667-1000
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:3100
  - - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\videodownload.exe
      videodownload listhistory
      4⤵
      Executes dropped EXE
      PID:2200
  - - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\media2mp3.exe
      media2mp3 listhistory
      4⤵
      Executes dropped EXE
      PID:1656
  - - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\prepare.exe
      prepare update --id dbbcc3e83f1c22efa28c666bfe5fe75f
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:3996
  - - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\checkUp.exe
      checkUp --url https://update.easeus.com/update/videodownloader/evdUpdate.ini --language English
      4⤵
      Executes dropped EXE
      PID:1116
  - - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngineProcess.exe
      "C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngineProcess.exe" --type=renderer --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --disable-gpu-compositing --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4264 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:1112
  - - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngineProcess.exe
      "C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngineProcess.exe" --type=renderer --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --disable-gpu-compositing --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4236 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:3980
  - - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngineProcess.exe
      "C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngineProcess.exe" --type=renderer --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --disable-gpu-compositing --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2888 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:2980
  - - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngineProcess.exe
      "C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngineProcess.exe" --type=renderer --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --disable-gpu-compositing --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2872 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:2320
  - - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\UIInnerbuy.exe
      UIInnerbuy --getxurlid
      4⤵
      Executes dropped EXE
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      PID:3808
  - - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\versionActivate.exe
      versionActivate --version --uid S-1-5-21-3691908287-3775019229-3534252667-1000
      4⤵
      Executes dropped EXE
      PID:1772
  - - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngineProcess.exe
      "C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngineProcess.exe" --type=renderer --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --disable-gpu-compositing --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3468 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:2632
  - - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngineProcess.exe
      "C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\QtWebEngineProcess.exe" --type=renderer --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --disable-gpu-compositing --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4584 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:2192
  - - C:\Program Files (x86)\EaseUS\EaseUS VideoDownloader\bin\videodownload.exe
      videodownload parse-oneclick --url https://tiktok.com/?ace_cosplayed --perLimit=1 --tag 4 --cookiePath \u0043\u003a\u002f\u0055\u0073\u0065\u0072\u0073\u002f\u0041\u0064\u006d\u0069\u006e\u002f\u0041\u0070\u0070\u0044\u0061\u0074\u0061\u002f\u0052\u006f\u0061\u006d\u0069\u006e\u0067\u002f\u0045\u0061\u0073\u0065\u0055\u0053\u002f\u0056\u0069\u0064\u0065\u006f\u0044\u006f\u0077\u006e\u006c\u006f\u0061\u0064\u0065\u0072\u005c\u002e\u0074\u0069\u006b\u0074\u006f\u006b\u002e\u0063\u006f\u006d --mediaType video --mediaQuality 720 --thumbnail=false --subtitle English --dstDir \u0046\u003a\u002f\u0045\u0061\u0073\u0065\u0055\u0053\u005f\u0056\u0069\u0064\u0065\u006f\u0044\u006f\u0077\u006e\u006c\u006f\u0061\u0064\u0065\u0072
      4⤵
      PID:1228
    - - C:\Users\Admin\AppData\Local\Temp\VideoDownloader\yt-dlp\yt-dlp.exe
        
        C:\Users\Admin\AppData\Local\Temp\VideoDownloader\yt-dlp\yt-dlp.exe --legacy-server-connect --no-check-certificates --no-colors --cookies C:\Users\Admin\AppData\Local\Temp\VideoDownloader\ytbHumSearchResult\cookie\a0ce3aa0f07075f7d26963afd2584b17.txt -J --skip-download --yes-playlist --flat-playlist --playlist-items 1-2000 https://tiktok.com?ace_cosplayed
        5⤵
        
        PID:3640
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:3096
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:1704
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:1976
    - - C:\Users\Admin\AppData\Local\Temp\VideoDownloader\yt-dlp\yt-dlp.exe
        
        C:\Users\Admin\AppData\Local\Temp\VideoDownloader\yt-dlp\yt-dlp.exe --legacy-server-connect --no-check-certificates --no-colors --cookies C:\Users\Admin\AppData\Local\Temp\VideoDownloader\ytbHumSearchResult\cookie\a0ce3aa0f07075f7d26963afd2584b17.txt --extractor-retries 60 -J --skip-download --yes-playlist --flat-playlist --playlist-items 1-2000 https://tiktok.com?ace_cosplayed
        5⤵
        
        PID:576
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:3024
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:3100
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:2132
    - - C:\Users\Admin\AppData\Local\Temp\VideoDownloader\yt-dlp\yt-dlp.exe
        
        C:\Users\Admin\AppData\Local\Temp\VideoDownloader\yt-dlp\yt-dlp.exe --legacy-server-connect --no-check-certificates --no-colors -J --skip-download --yes-playlist --flat-playlist --playlist-items 1-2000 https://tiktok.com?ace_cosplayed
        5⤵
        
        PID:2084
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:1612
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:616
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:3148
    - - C:\Users\Admin\AppData\Local\Temp\VideoDownloader\yt-dlp\yt-dlp.exe
        
        C:\Users\Admin\AppData\Local\Temp\VideoDownloader\yt-dlp\yt-dlp.exe --legacy-server-connect --no-check-certificates --no-colors --cookies C:\Users\Admin\AppData\Local\Temp\VideoDownloader\ytbHumSearchResult\cookie\a0ce3aa0f07075f7d26963afd2584b17.txt -J --skip-download --yes-playlist --flat-playlist --playlist-items 1-2000 https://tiktok.com?ace_cosplayed
        5⤵
        
        PID:2808
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:2556
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:2580
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:2108
    - - C:\Users\Admin\AppData\Local\Temp\VideoDownloader\yt-dlp\yt-dlp.exe
        
        C:\Users\Admin\AppData\Local\Temp\VideoDownloader\yt-dlp\yt-dlp.exe --legacy-server-connect --no-check-certificates --no-colors --cookies C:\Users\Admin\AppData\Local\Temp\VideoDownloader\ytbHumSearchResult\cookie\a0ce3aa0f07075f7d26963afd2584b17.txt --extractor-retries 60 -J --skip-download --yes-playlist --flat-playlist --playlist-items 1-2000 https://tiktok.com?ace_cosplayed
        5⤵
        
        PID:3600
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:2468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5969758,0x7fef5969768,0x7fef5969778
  2⤵
  PID:3800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1184,i,2427266182050272219,7725303777062539641,131072 /prefetch:2
  2⤵
  PID:3524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1448 --field-trial-handle=1184,i,2427266182050272219,7725303777062539641,131072 /prefetch:8
  2⤵
  PID:3420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1184,i,2427266182050272219,7725303777062539641,131072 /prefetch:8
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2212 --field-trial-handle=1184,i,2427266182050272219,7725303777062539641,131072 /prefetch:1
  2⤵
  PID:3584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2232 --field-trial-handle=1184,i,2427266182050272219,7725303777062539641,131072 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1328 --field-trial-handle=1184,i,2427266182050272219,7725303777062539641,131072 /prefetch:2
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3120 --field-trial-handle=1184,i,2427266182050272219,7725303777062539641,131072 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3332 --field-trial-handle=1184,i,2427266182050272219,7725303777062539641,131072 /prefetch:8
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3460 --field-trial-handle=1184,i,2427266182050272219,7725303777062539641,131072 /prefetch:8
  2⤵
  PID:2896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3696 --field-trial-handle=1184,i,2427266182050272219,7725303777062539641,131072 /prefetch:8
  2⤵
  PID:2584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3324 --field-trial-handle=1184,i,2427266182050272219,7725303777062539641,131072 /prefetch:8
  2⤵
  PID:1660

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3972

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x554
1⤵
PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery