lumma | hxxps://www[.]mediafire[.]com/folder/dqp2hwa872obn

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	Loader.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 7 IoCs

pid	Process
3940	7z2407-x64.exe
3940	7zG.exe
2092	Loader.exe
6116	w.exe
1696	ww.exe
2852	update.exe
5516	www.exe

Loads dropped DLL 2 IoCs

pid	Process
3496	Process not Found
3940	7zG.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1396-1124-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1396-1128-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1396-1129-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1396-1131-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1396-1134-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1396-1136-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1396-1135-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1396-1137-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1396-1133-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1396-1130-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1396-1126-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1396-1125-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
450	pastebin.com
453	pastebin.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2692	powercfg.exe
3680	powercfg.exe
4912	powercfg.exe
5344	powercfg.exe
3904	powercfg.exe
2620	powercfg.exe
224	powercfg.exe
5820	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	ww.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	update.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 6116 set thread context of 2896	6116	w.exe	167
PID 2852 set thread context of 1504	2852	update.exe	203
PID 2852 set thread context of 1396	2852	update.exe	204

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2407-x64.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1012	sc.exe
5188	sc.exe
6020	sc.exe
2156	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2407-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 50 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2650514177-1034912467-4025611726-1000\{0AC58851-101F-4D93-8EFA-F4EB38BB45ED}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2407-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2407-x64.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 351965.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
5416	NOTEPAD.EXE
3252	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
404	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3080	msedge.exe
3080	msedge.exe
3184	msedge.exe
3184	msedge.exe
4720	identity_helper.exe
4720	identity_helper.exe
5568	msedge.exe
5568	msedge.exe
5776	msedge.exe
5776	msedge.exe
3036	msedge.exe
3036	msedge.exe
1696	ww.exe
1696	ww.exe
1696	ww.exe
6120	powershell.exe
6120	powershell.exe
6120	powershell.exe
1696	ww.exe
1696	ww.exe
1696	ww.exe
1696	ww.exe
1696	ww.exe
1696	ww.exe
1696	ww.exe
1696	ww.exe
1696	ww.exe
1696	ww.exe
2852	update.exe
2852	update.exe
2852	update.exe
6128	powershell.exe
6128	powershell.exe
6128	powershell.exe
2852	update.exe
2852	update.exe
2852	update.exe
2852	update.exe
2852	update.exe
2852	update.exe
2852	update.exe
6140	msedge.exe
6140	msedge.exe
6140	msedge.exe
6140	msedge.exe
1396	dwm.exe
1396	dwm.exe
1396	dwm.exe
1396	dwm.exe
5516	www.exe
5516	www.exe
1396	dwm.exe
1396	dwm.exe
1396	dwm.exe
1396	dwm.exe
1396	dwm.exe
1396	dwm.exe
1396	dwm.exe
1396	dwm.exe
1396	dwm.exe
1396	dwm.exe
1396	dwm.exe
1396	dwm.exe
1396	dwm.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
6088	OpenWith.exe
1684	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs

pid	Process
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeRestorePrivilege	3940	7zG.exe
Token: 35	3940	7zG.exe
Token: SeSecurityPrivilege	3940	7zG.exe
Token: SeSecurityPrivilege	3940	7zG.exe
Token: SeDebugPrivilege	6120	powershell.exe
Token: SeShutdownPrivilege	2692	powercfg.exe
Token: SeCreatePagefilePrivilege	2692	powercfg.exe
Token: SeShutdownPrivilege	5820	powercfg.exe
Token: SeCreatePagefilePrivilege	5820	powercfg.exe
Token: SeShutdownPrivilege	3680	powercfg.exe
Token: SeCreatePagefilePrivilege	3680	powercfg.exe
Token: SeShutdownPrivilege	4912	powercfg.exe
Token: SeCreatePagefilePrivilege	4912	powercfg.exe
Token: SeDebugPrivilege	6128	powershell.exe
Token: SeShutdownPrivilege	224	powercfg.exe
Token: SeCreatePagefilePrivilege	224	powercfg.exe
Token: SeLockMemoryPrivilege	1396	dwm.exe
Token: SeShutdownPrivilege	5344	powercfg.exe
Token: SeCreatePagefilePrivilege	5344	powercfg.exe
Token: SeShutdownPrivilege	2620	powercfg.exe
Token: SeCreatePagefilePrivilege	2620	powercfg.exe
Token: SeShutdownPrivilege	3904	powercfg.exe
Token: SeCreatePagefilePrivilege	3904	powercfg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
6088	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
5840	AcroRd32.exe
5840	AcroRd32.exe
5840	AcroRd32.exe
5840	AcroRd32.exe
3940	7z2407-x64.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
2092	Loader.exe
2896	RegAsm.exe
5516	www.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 4980	3184	msedge.exe	84
PID 3184 wrote to memory of 4980	3184	msedge.exe	84
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3488	3184	msedge.exe	85
PID 3184 wrote to memory of 3080	3184	msedge.exe	86
PID 3184 wrote to memory of 3080	3184	msedge.exe	86
PID 3184 wrote to memory of 528	3184	msedge.exe	87
PID 3184 wrote to memory of 528	3184	msedge.exe	87
PID 3184 wrote to memory of 528	3184	msedge.exe	87
PID 3184 wrote to memory of 528	3184	msedge.exe	87
PID 3184 wrote to memory of 528	3184	msedge.exe	87
PID 3184 wrote to memory of 528	3184	msedge.exe	87
PID 3184 wrote to memory of 528	3184	msedge.exe	87
PID 3184 wrote to memory of 528	3184	msedge.exe	87
PID 3184 wrote to memory of 528	3184	msedge.exe	87
PID 3184 wrote to memory of 528	3184	msedge.exe	87
PID 3184 wrote to memory of 528	3184	msedge.exe	87
PID 3184 wrote to memory of 528	3184	msedge.exe	87
PID 3184 wrote to memory of 528	3184	msedge.exe	87
PID 3184 wrote to memory of 528	3184	msedge.exe	87
PID 3184 wrote to memory of 528	3184	msedge.exe	87
PID 3184 wrote to memory of 528	3184	msedge.exe	87
PID 3184 wrote to memory of 528	3184	msedge.exe	87
PID 3184 wrote to memory of 528	3184	msedge.exe	87
PID 3184 wrote to memory of 528	3184	msedge.exe	87
PID 3184 wrote to memory of 528	3184	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/folder/dqp2hwa872obn
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9122146f8,0x7ff912214708,0x7ff912214718
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
  2⤵
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:1
  2⤵
  PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:1
  2⤵
  PID:5544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:6040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7176 /prefetch:1
  2⤵
  PID:6112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:1
  2⤵
  PID:5160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:5420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:5676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6860 /prefetch:8
  2⤵
  PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7568 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6768 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7584 /prefetch:1
  2⤵
  PID:5836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6692 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7892 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8008 /prefetch:1
  2⤵
  PID:5900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8060 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4748 /prefetch:8
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3380 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7024 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
  2⤵
  PID:6048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7740 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1844 /prefetch:8
  2⤵
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6708 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3036
- C:\Users\Admin\Downloads\7z2407-x64.exe
  "C:\Users\Admin\Downloads\7z2407-x64.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,8534722214334798489,3442435452065074660,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3544 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6140

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5108

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:6088
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\UnivMenu_1.16.7z"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5840
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5204
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A8B1D0BE3B40C01338E04141CA63942E --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5152
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3405086B5BCF216C5C57D8BE3189C193 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3405086B5BCF216C5C57D8BE3189C193 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:3044
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1DC3FC88B4C9DD74C8ADF730613287B2 --mojo-platform-channel-handle=2300 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:6088
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8DA1655AC46C0696D71415903E27A3DD --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3420
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CA770DF3760166510B7E3136EADB2C2C --mojo-platform-channel-handle=1756 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5132

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1684

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3020

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\UnivMenu_1.16\" -spe -an -ai#7zMap101:86:7zEvent17950
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Users\Admin\Downloads\UnivMenu_1.16\Loader.exe
"C:\Users\Admin\Downloads\UnivMenu_1.16\Loader.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2092
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\w.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\w.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:6116
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2896
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\ww.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ww.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1696
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:5616
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:2096
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4912
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3680
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:5820
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "WindowsManager"
    3⤵
    - Launches sc.exe
    PID:6020
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "WindowsManager" binpath= "C:\ProgramData\WindowsManager\update.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:2156
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1012
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "WindowsManager"
    3⤵
    - Launches sc.exe
    PID:5188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ww.exe"
    3⤵
    PID:2148
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:3032
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\www.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\www.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5516
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /tn WmiPrvSES /tr "C:\Users\Admin\AppData\Roaming\Microsoft\WmiPrvSE.exe" /sc minute /mo 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:404

C:\ProgramData\WindowsManager\update.exe
C:\ProgramData\WindowsManager\update.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2852
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:5848
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3148
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:224
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3904
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5344
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1504
- C:\Windows\system32\dwm.exe
  dwm.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1396

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\UnivMenu_1.16\Info.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5416

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\UnivMenu_1.16\Data\gsdagsdg - Copy - Copy.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3252

C:\Users\Admin\AppData\Roaming\Microsoft\WmiPrvSE.exe
C:\Users\Admin\AppData\Roaming\Microsoft\WmiPrvSE.exe
1⤵
PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery