d73e40b366acfd7adebc7d90ef7762f8d8e8e80f44265dc135b02c3701cd75be

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{9DD4ACE5-F1C9-4005-B36E-72CF3ACF7E39} = "v2.30\|Action=Allow\|Active=TRUE\|Dir=In\|App=C:\\Windows\\LVUAAgentSDPInstBaseRoot\\UniSDPAccessAgent.exe\|Name=Security Assistant SDPAgent\|"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{9E536491-F4B4-4663-837A-73824DDDBA04} = "v2.30\|Action=Allow\|Active=TRUE\|Dir=In\|App=C:\\Windows\\LVUAAgentSDPInstBaseRoot\\SDPProxyClient.exe\|Name=SDPProxyClient\|"	svchost.exe

Drops file in Drivers directory 1 IoCs

Processes:

SDPProxyClient.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts SDPProxyClient.exe
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	SDPProxyClient.exe

Sets service image path in registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

UniSDPAccessAgentDaemon.exeUniSDPAccessAgent.exeUniSDPAccessAgentDaemon.exeSDPProxyClient.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UniSDPProtect\ImagePath = "\\??\\C:\\Windows\\LVUAAgentSDPInstBaseRoot\\drivers\\UniSDPProtect.sys"	UniSDPAccessAgentDaemon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UniKInjectSDP\ImagePath = "\\??\\C:\\Windows\\LVUAAgentSDPInstBaseRoot\\drivers\\UniKInjectSDP.sys"	UniSDPAccessAgent.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UniSDPProtect\ImagePath = "\\??\\C:\\Windows\\LVUAAgentSDPInstBaseRoot\\drivers\\UniSDPProtect.sys"	UniSDPAccessAgentDaemon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\sdptdi\ImagePath = "\\??\\C:\\Windows\\LVUAAgentSDPInstBaseRoot\\SDPDriver\\SdpTdi.sys"	SDPProxyClient.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SDPSbieDrv\ImagePath = "\\??\\C:\\Windows\\LVUAAgentSDPInstBaseRoot\\safebox\\SDPSbieDrv.sys"	SDPProxyClient.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

UniSDPAccessAgentTray.exeUniSDPAccessAgentTray.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	UniSDPAccessAgentTray.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	UniSDPAccessAgentTray.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

Processes:

7z.exeUniSDPAccessAgentDaemon.exeFocaccino.exeUniSDPAccessAgent.exeVienna.exeUAAExt.exeUniSDPAccessAgent.exeUAAExt.exeAsMyWish.exeUniSDPAccessAgent.exeUniSDPAccessAgent.exeUAAExt.exewinlogon.exesvchost.exesvchost.exedwm.exesvchost.exeUniSDPAccessAgentDaemon.exeUAAExt.exesvchost.exesvchost.exeUniSDPAccessAgentTray.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exespoolsv.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesysmon.exesvchost.exesvchost.exesihost.exeunsecapp.exesvchost.exesvchost.exetaskhostw.exeTinaiatSDP.exeTinaiatSDP.exesvchost.exesvchost.exeStartMenuExperienceHost.exeSDPCSClient.exeSDPCSClient.exe

pid	process
2004	7z.exe
3240	UniSDPAccessAgentDaemon.exe
4900	Focaccino.exe
740	UniSDPAccessAgent.exe
452	Vienna.exe
2696	UAAExt.exe
2260	UniSDPAccessAgent.exe
812	UAAExt.exe
1816	AsMyWish.exe
4548	UniSDPAccessAgent.exe
3184	UniSDPAccessAgent.exe
5052	UAAExt.exe
616	winlogon.exe
800	svchost.exe
956	svchost.exe
336	dwm.exe
468	svchost.exe
2860	UniSDPAccessAgentDaemon.exe
4672	UAAExt.exe
64	svchost.exe
1048	svchost.exe
2836	UniSDPAccessAgentTray.exe
1100	svchost.exe
1144	svchost.exe
1172	svchost.exe
1296	svchost.exe
1336	svchost.exe
1368	svchost.exe
1384	svchost.exe
1508	svchost.exe
1536	svchost.exe
1548	svchost.exe
1660	svchost.exe
1700	svchost.exe
1752	svchost.exe
1776	svchost.exe
1856	svchost.exe
1972	svchost.exe
1980	svchost.exe
2044	svchost.exe
1120	svchost.exe
1784	svchost.exe
2104	spoolsv.exe
2168	svchost.exe
2232	svchost.exe
2360	svchost.exe
2376	svchost.exe
2548	svchost.exe
2604	svchost.exe
2624	sysmon.exe
2660	svchost.exe
2668	svchost.exe
2948	sihost.exe
2956	unsecapp.exe
2988	svchost.exe
3096	svchost.exe
3108	taskhostw.exe
1516	TinaiatSDP.exe
3620	TinaiatSDP.exe
3424	svchost.exe
3636	svchost.exe
3916	StartMenuExperienceHost.exe
2828	SDPCSClient.exe
4108	SDPCSClient.exe

Impair Defenses: Safe Mode Boot 1 TTPs 11 IoCs

defense_evasion

Safe Mode Boot

T1562.009

Processes:

UniSDPAccessAgentDaemon.exeUniSDPAccessAgent.exeUniSDPAccessAgent.exeSDPProxyClient.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UniSDPProtect.sys	UniSDPAccessAgentDaemon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UniSDPAccessAgent	UniSDPAccessAgent.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UniSDPAccessAgent\ = "Service"	UniSDPAccessAgent.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Hutiehua	UniSDPAccessAgent.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SDPSbieDrv	SDPProxyClient.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SDPSbieSvc	SDPProxyClient.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UniSDPProtect	UniSDPAccessAgentDaemon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UniKInjectSDP.sys	UniSDPAccessAgent.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Hutiehua.sys	UniSDPAccessAgent.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SDPSbieDrv.sys	SDPProxyClient.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UniKInjectSDP	UniSDPAccessAgent.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Loads dropped DLL 64 IoCs

Processes:

7z.exeUniSDPAccessAgent.exeUniSDPAccessAgent.exeUAAExt.exeUAAExt.exeUniSDPAccessAgent.exeUniSDPAccessAgent.exeAsMyWish.exeUAAExt.exe

pid	process
2004	7z.exe
740	UniSDPAccessAgent.exe
740	UniSDPAccessAgent.exe
740	UniSDPAccessAgent.exe
740	UniSDPAccessAgent.exe
740	UniSDPAccessAgent.exe
740	UniSDPAccessAgent.exe
740	UniSDPAccessAgent.exe
740	UniSDPAccessAgent.exe
740	UniSDPAccessAgent.exe
740	UniSDPAccessAgent.exe
740	UniSDPAccessAgent.exe
740	UniSDPAccessAgent.exe
740	UniSDPAccessAgent.exe
740	UniSDPAccessAgent.exe
740	UniSDPAccessAgent.exe
740	UniSDPAccessAgent.exe
740	UniSDPAccessAgent.exe
740	UniSDPAccessAgent.exe
2260	UniSDPAccessAgent.exe
2260	UniSDPAccessAgent.exe
2260	UniSDPAccessAgent.exe
2260	UniSDPAccessAgent.exe
2260	UniSDPAccessAgent.exe
2260	UniSDPAccessAgent.exe
2260	UniSDPAccessAgent.exe
2260	UniSDPAccessAgent.exe
2260	UniSDPAccessAgent.exe
2260	UniSDPAccessAgent.exe
2260	UniSDPAccessAgent.exe
2696	UAAExt.exe
2696	UAAExt.exe
2696	UAAExt.exe
812	UAAExt.exe
812	UAAExt.exe
812	UAAExt.exe
4548	UniSDPAccessAgent.exe
4548	UniSDPAccessAgent.exe
4548	UniSDPAccessAgent.exe
4548	UniSDPAccessAgent.exe
4548	UniSDPAccessAgent.exe
4548	UniSDPAccessAgent.exe
4548	UniSDPAccessAgent.exe
4548	UniSDPAccessAgent.exe
4548	UniSDPAccessAgent.exe
4548	UniSDPAccessAgent.exe
4548	UniSDPAccessAgent.exe
3184	UniSDPAccessAgent.exe
3184	UniSDPAccessAgent.exe
3184	UniSDPAccessAgent.exe
3184	UniSDPAccessAgent.exe
3184	UniSDPAccessAgent.exe
3184	UniSDPAccessAgent.exe
3184	UniSDPAccessAgent.exe
3184	UniSDPAccessAgent.exe
3184	UniSDPAccessAgent.exe
3184	UniSDPAccessAgent.exe
3184	UniSDPAccessAgent.exe
1816	AsMyWish.exe
1816	AsMyWish.exe
1816	AsMyWish.exe
5052	UAAExt.exe
5052	UAAExt.exe
5052	UAAExt.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

sysmon.exeUniSDPAccessAgent.exe

description ioc process

File opened (read-only) \??\F: sysmon.exe
File opened (read-only) \??\F: UniSDPAccessAgent.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

Vienna.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Vienna.exe
Drops file in System32 directory 1 IoCs

Processes:

UniSDP_20240330SP_20240708V5.3.0.14.exe

description ioc process

File created C:\Windows\system32\MeiLinGuanSDP.exe UniSDP_20240330SP_20240708V5.3.0.14.exe
Drops file in Program Files directory 1 IoCs

Processes:

UniSDPAccessAgent.exe

description ioc process

File created C:\Program Files\Mozilla Firefox\mozilla.cfg UniSDPAccessAgent.exe

description	ioc	process
File opened (read-only)	\??\F:	sysmon.exe
File opened (read-only)	\??\F:	UniSDPAccessAgent.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Vienna.exe

description	ioc	process
File created	C:\Windows\system32\MeiLinGuanSDP.exe	UniSDP_20240330SP_20240708V5.3.0.14.exe

description	ioc	process
File created	C:\Program Files\Mozilla Firefox\mozilla.cfg	UniSDPAccessAgent.exe

Drops file in Windows directory 64 IoCs

Processes:

UniSDP_20240330SP_20240708V5.3.0.14.exeUniSDPAccessAgent.exeFocaccino.exeUniSDPAccessAgentTray.exeUniSDPAccessAgent.exeVienna.exeTinaiatSDP.exeUniSDPAccessAgent.exeSDPProxyClient.exeAsMyWish.exeUniSDPAccessAgent.exeSDPSbieCtrl.exe

description	ioc	process
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\UniSDPAccessAgentDaemon.exe	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\face\sys\msg_info.png	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\face\tray\traypluginpac\xml\page_resourceocc_page.xml	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\7z.exe	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieDll.dll	UniSDP_20240330SP_20240708V5.3.0.14.exe
File opened for modification	C:\Windows\LVUAAgentSDPInstBaseRoot\policy\lv-agent-odisk-rti.arc	UniSDPAccessAgent.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\32\api-ms-win-crt-filesystem-l1-1-0.dll	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\face\tray\traymain\xml\dlg_super.xml	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\face\ui\uimain\image\tab_bt_bg.png	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\face\tray\traypluginsystemset\image\btn_button80.png	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\face\ui\uimain\image\tab_email.png	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\libssl-1_1-x64.dll	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\sys\sys_wnd_bkgnd.png	UniSDP_20240330SP_20240708V5.3.0.14.exe
File opened for modification	C:\Windows\LVUAAgentSDPInstBaseRoot\log\InstallFirst_20241121_113544.log	Focaccino.exe
File opened for modification	C:\Windows\LVUAAgentSDPInstBaseRoot\custom_tray.ico	UniSDPAccessAgent.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\public\LVGShare.arc	UniSDPAccessAgent.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\face\ui\uimain\image\btn_login_config.png	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\sys\sys_focus_checkbox.png	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\api-ms-win-core-localization-l1-2-0.dll	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\face\tray\traypluginsystemset\xml\page_logcfg_proxylib.xml	UniSDP_20240330SP_20240708V5.3.0.14.exe
File opened for modification	C:\Windows\LVUAAgentSDPInstBaseRoot\public\UserLogonInfo.arc	UniSDPAccessAgentTray.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\api-ms-win-crt-multibyte-l1-1-0.dll	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\face\ui\uimain\xml\init.xml	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\face\ui\uimain\xml\page_portal.xml	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\SDPProxy.dll	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\SysWow64\VozokopotSDP.dll	UniSDP_20240330SP_20240708V5.3.0.14.exe
File opened for modification	C:\Windows\LVUAAgentSDPInstBaseRoot\public\custom_tray.ico	UniSDPAccessAgent.exe
File opened for modification	C:\Windows\LVUAAgentSDPInstBaseRoot\log\CheckGhost_20241121_113546.log	UniSDPAccessAgent.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\face\tray\traypluginpac\image\lcex_header.png	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\face\ui\uimain\image\sbox_desktop.png	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\public\box_win11.reg	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\sandbox\mainui\uires.idx	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieMsg.dll	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\api-ms-win-core-synch-l1-2-0.dll	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\lan\SoftWareMall_zh-CHT.lan	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\32\ComputerID.ini	Vienna.exe
File opened for modification	C:\Windows\LVUAAgentSDPInstBaseRoot\log\TinaiatSDP641_20241121_113548.log	TinaiatSDP.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\face\sys\sys_btn_minimize.png	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\sys\sys_menu_skin.png	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\TinaiatSDP.exe	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\public\UserConfigInfo.arc.Bak	UniSDPAccessAgent.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\personal\LVAgtEnvLanNotZhcnMark.arc	UniSDPAccessAgent.exe
File opened for modification	C:\Windows\LVUAAgentSDPInstBaseRoot\log\HProxyThread_20241121_113551.log	SDPProxyClient.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\certs\SDProot.key	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\face\tray\traypluginexamineinfo\image\lcex_header_arrow.png	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\gmcerts\gm_enc.crt	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\public\win10.reg	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\FileList.ini	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\face\ui\uimain\image\logo.png	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\face\ui\uimain\xml\login_page_account.xml	UniSDP_20240330SP_20240708V5.3.0.14.exe
File opened for modification	C:\Windows\LVUAAgentSDPInstBaseRoot\32\log\AsMyWish1_20241121_113551.log	AsMyWish.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\DunmDuiAt.exe	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\face\sys\sys_prog_bar.png	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\face\tray\traypluginexamineinfo\xml\page_apply_details.xml	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\sys\sys_Tree_toggle.png	UniSDP_20240330SP_20240708V5.3.0.14.exe
File opened for modification	C:\Windows\LVUAAgentSDPInstBaseRoot\policy\UAACustConfig.arc	UniSDPAccessAgent.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\32\ucrtbase.dll	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\face\ui\uimain\image\login_btn.png	UniSDP_20240330SP_20240708V5.3.0.14.exe
File opened for modification	C:\Windows\LVUAAgentSDPInstBaseRoot\NRServerAgent.ini	UniSDPAccessAgent.exe
File opened for modification	C:\Windows\LVUAAgentSDPInstBaseRoot\public\sdp_reg_mark.arc	SDPProxyClient.exe
File opened for modification	C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\log\sdpsbiectrl_0.log	SDPSbieCtrl.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\face\tray\traypluginsystemset\xml\page_home_edit.xml	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\face\ui\uimain\xml\resource_apply.xml	UniSDP_20240330SP_20240708V5.3.0.14.exe
File created	C:\Windows\LVUAAgentSDPInstBaseRoot\public\win7.reg	UniSDP_20240330SP_20240708V5.3.0.14.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3352 4572 WerFault.exe SDPSandBoxUI.exe

pid	pid_target	process	target process
3352	4572	WerFault.exe	SDPSandBoxUI.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7z.exeTinaiatSDP.exeUniSDP_20240330SP_20240708V5.3.0.14.exeSDPNSPInstaller.exeregedit.exeAsMyWish.exeTinaiatSDP.exeSDPSandBoxUI.exeVienna.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TinaiatSDP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UniSDP_20240330SP_20240708V5.3.0.14.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SDPNSPInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsMyWish.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TinaiatSDP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SDPSandBoxUI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vienna.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

svchost.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

wmiprvse.exeUniSDPAccessAgent.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	UniSDPAccessAgent.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	UniSDPAccessAgent.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

3944 ipconfig.exe

pid	process
3944	ipconfig.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

SDPNSPInstaller.exeSDPNSPInstaller.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	SDPNSPInstaller.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	SDPNSPInstaller.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	SDPNSPInstaller.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	SDPNSPInstaller.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	SDPNSPInstaller.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	SDPNSPInstaller.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	SDPNSPInstaller.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	SDPNSPInstaller.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	SDPNSPInstaller.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	SDPNSPInstaller.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeUniSDPAccessAgent.exesvchost.exesihost.exeSDPProxyClient.exeregedit.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{407C6AE8-1192-4068-89EF-B1F693D1F9E9}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2D08241-B9A6-4C61-BA72-0C042E2962AA}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2D08241-B9A6-4C61-BA72-0C042E2962AA}\1.0\0\win64\ = "C:\\Windows\\LVUAAgentSDPInstBaseRoot\\safebox\\ExportMenu.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ExportMenu	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ExportMenu\ = "{407C6AE8-1192-4068-89EF-B1F693D1F9E9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lvenc4file	UniSDPAccessAgent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lvenc2\ = "lvenc2file"	UniSDPAccessAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ExportMenu.ExportFile.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ExportMenu.ExportFile	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{407C6AE8-1192-4068-89EF-B1F693D1F9E9}\TypeLib\ = "{C2D08241-B9A6-4C61-BA72-0C042E2962AA}"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133766625604650612"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lvenc4file\ = "Offline Approval Result"	UniSDPAccessAgent.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{407C6AE8-1192-4068-89EF-B1F693D1F9E9}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ExportMenu\ = "{407C6AE8-1192-4068-89EF-B1F693D1F9E9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SDP528Client\DefaultIcon	SDPProxyClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ExportMenu.ExportFile\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ExportMenu.ExportFile\CurVer\ = "ExportMenu.ExportFile.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C1FCC7E-B553-47FE-99E2-6D3861DC03B8}\ = "IExportFile"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2D08241-B9A6-4C61-BA72-0C042E2962AA}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2D08241-B9A6-4C61-BA72-0C042E2962AA}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C1FCC7E-B553-47FE-99E2-6D3861DC03B8}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lvenc4file\Shell\ = "Open"	UniSDPAccessAgent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ExportMenu.DLL\AppID = "{10D63AD7-6EBC-43A9-A997-FEC1AE9C6EDE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ExportMenu	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2D08241-B9A6-4C61-BA72-0C042E2962AA}\1.0\HELPDIR\ = "C:\\Windows\\LVUAAgentSDPInstBaseRoot\\safebox"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lvenc4file\Shell	UniSDPAccessAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133766625606213101"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C1FCC7E-B553-47FE-99E2-6D3861DC03B8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C1FCC7E-B553-47FE-99E2-6D3861DC03B8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\photoviewer.dll\shell\print\DropTarget\Clsid = "{60fd46de-f830-4894-a628-6fa81bc0190d}"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ExportMenu.ExportFile\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\photoviewer.dll\shell\print\DropTarget	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133766625745900638"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133766625879806925"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SDP528Client\shell\open\command\ = "\"C:\\Windows\\LVUAAgentSDPInstBaseRoot\\UniSDPAccessAgent.exe\" \"%1\""	SDPProxyClient.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{407C6AE8-1192-4068-89EF-B1F693D1F9E9}\VersionIndependentProgID\ = "ExportMenu.ExportFile"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\photoviewer.dll\shell	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lvenc4\ = "lvenc4file"	UniSDPAccessAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{407C6AE8-1192-4068-89EF-B1F693D1F9E9}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C1FCC7E-B553-47FE-99E2-6D3861DC03B8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ExportMenu.ExportFile.1\ = "ExportFile Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C1FCC7E-B553-47FE-99E2-6D3861DC03B8}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133766625531681806"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lvenc2file\Shell\Open	UniSDPAccessAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ExportMenu.ExportFile.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\photoviewer.dll\shell\print\command\ = "%SystemRoot%\\System32\\rundll32.exe \"%ProgramFiles%\\Windows Photo Viewer\\PhotoViewer.dll\", ImageView_Fullscreen %1"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lvenc2file\Shell\ = "Open"	UniSDPAccessAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{10D63AD7-6EBC-43A9-A997-FEC1AE9C6EDE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{10D63AD7-6EBC-43A9-A997-FEC1AE9C6EDE}\ = "ExportMenu"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ExportMenu.ExportFile\CLSID\ = "{407C6AE8-1192-4068-89EF-B1F693D1F9E9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{407C6AE8-1192-4068-89EF-B1F693D1F9E9}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lvenc4file\DefaultIcon\ = "\"C:\\Windows\\LVUAAgentSDPInstBaseRoot\\LvEncBrowser.exe\""	UniSDPAccessAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lvenc4file\Shell\Open\Command	UniSDPAccessAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lvenc4file\Shell\Open	UniSDPAccessAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lvenc2file\DefaultIcon	UniSDPAccessAgent.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2D08241-B9A6-4C61-BA72-0C042E2962AA}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C1FCC7E-B553-47FE-99E2-6D3861DC03B8}\ = "IExportFile"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lvenc4file\DefaultIcon	UniSDPAccessAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lvenc2file\Shell\Open\Command	UniSDPAccessAgent.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

SDPProxyClient.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0DC12667DC00DA38E66986535A2B2CE60ADCDD2E	SDPProxyClient.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0DC12667DC00DA38E66986535A2B2CE60ADCDD2E\Blob = 0300000001000000140000000dc12667dc00da38e66986535a2b2ce60adcdd2e20000000010000003a090000308209363082051e020900c97e177b362da686300d06092a864886f70d01010b0500305d310b300906035504061302434e3112301006035504080c096775616e67646f6e673111300f06035504070c087368656e7a68656e3111300f060355040a0c086c656167736f66743114301206035504030c0b6c656167736f6674204341301e170d3139303832363231333331355a170d3239303832333231333331355a305d310b300906035504061302434e3112301006035504080c096775616e67646f6e673111300f06035504070c087368656e7a68656e3111300f060355040a0c086c656167736f66743114301206035504030c0b6c656167736f667420434130820422300d06092a864886f70d01010105000382040f003082040a0282040100daf8c150e6978c89d8ae7e1f5661a985919c920825ee95386fe80d555ccc2e1d643b54f1c080b2586fdc5cda22cb6c7c5c819ff9c844406f7916c51fc8cb5bab76548076f55869d94f62cbff72b5b42808b4ed51f096807c9798f388e70ea102b37575c32b937ceec5ff6c6d9a5c341f532096c05f23fdb65e9632cb3d0f2fe06ab691a256eb6e6496347d4838d9ade091848a8a933a426761330754dfe3a15e4cc881e113358dec737ea44d569735955f1b8d5e600c0b4315ac8e5b13010ed2d6b374b57aa74cfd03ed374a37cba5850e7b03e1520fc6d46ac1a5cfd81a9189b47140b34301ee7d5eca4b640ac100cf282281324d3a4ba2beb414c02c25f76cc3a75fa073a276b780f6c37e7e14d2391e92ec7cccc7f8f2c966c6cf881384d5b06d37f90153902fa6c57a8364d3450e8831513377380fa7df95848f85b9e56b41fde9021834c909dcfd4f8370601d7087f1c1a4a46cc503745be75bf25c5a5283e3e7b0a9ca86e2140a4a4c91780325de2246dbe4fa6f84efa333f6ae344e08e4589ffea62af8b4f9f3c17291a9939e9cf590ef6c12a3b79a15258172208a4f0d5f6848e9bb6ca10e6437a2c6fa23338a48e41014e497f606f1920fcab1180b68b853b22913af10a2f91faf74b368e30f7d2ab868d94294d7e9e454df3e8422205b6014d0dcf39ac05a3b8fd4070962bd5b87034ba948f898e87642d3fc1f76fac82ce058022c7623178e33ff465c96f4ff3fd599e7e9fc0a9fd73f0e94e373e101ecb2670b196aa49844e231084b97ef5adbc463c966784deef7fc5103368f200866baef511f26d7e62fe30d16fac4db8e18d9f4d07b15b230d5cf3db53ff456092df4e129f1590251403c022295f04001882e27e871fe08ec4e59b1678761d5b2b14286aeca707f74c5e3cc87f2f7824a435f9cd8f33a06de2008f556a8213abdfaef6af2f0083d709e1291cb62210bbad8f45c8575a5b33371973e34e8c7b68317cd9b6fc54c4617ec93656fd4cfac2c9042e5abb804e4e2f416e13671aff597a4dca56441288edd3b3f8dd28b426e052d429da404b81fd201cfd07b29f29ac8283fba359daf476a4b48ae132b33b19d5f7c9ce99934343617b738b4090d025005b824dc6b29657a2b5bc5315d03c94fec81dd8e05a05218883c622889b02d98641a5222d50e9053ad4d38c5be28fefcdfbfa875b517f695dcec1f6d66ba6da049d2470951ab82fe10bc11f0fe2fe27320b7ef275b9e66009262739f325e74869b441c234c8d6319299dc5ec31c64c083bb0df5c10cb34570b8109c01062e06e1ae64a454b1f4144d376a463b558ee7f75251dbc77185ce460c19a80b10521515368b92f9c217074b6ae4985c0ec9eea03e8beeb2a654d93ded970916114dc2580043968833377240bf2ca071888abb2afb7cb652117cc7ee5aa59e7e3bf0203010001300d06092a864886f70d01010b0500038204010032ff104ac9955e22cc69abe5521ce2505f0a6a44f7ad5d069ec286984b2b32bb078efc1ded40b009eb6cb749919f1c74c0267b872478560b3d6da91847acebfa578c440cd3c876561813dce6641cb94b0ebd7316023753358fb30c6f10b1a09232734dee770cdd3aab261d86908cae6a988dae9485a2b8c5adbd067e9844a04f514a977eab8e65ff3a517a2667e4a5834541fa79b684a3b424cff09f9f9a1f466c75058900b2800aa938b16de1962ae04de0ed29f94ccf4f350c3b5f8796a72bbfe92b2e430c7ee73c5a00e4d39c7aa15b82f2da0a2c4b85c13eb7f03965739ea28a3905914557fcf0828d10f93016a8928a8fa95d20538645a2ec20b2332295c56800329d518a6598223e481329cb9ea70368d5353c7ff39b9b8498e6c6964047250e3125dbf31719254eac5440751c55af69721ab771465658e9ce23a1dba6f8990080ef6abfd1d82839b048e1e141f3cded8fc4d6c6b955da64fc15a9d134de81bd6645233de95df821dba3724ae77786bcabf06f54def40d697a5d9f4ad5fd14fa102d2b66ef7ba5302c42f1a9835bc792bd6a4a96e6f2084e67fae95955a17ca4581ef192dace5fce73443e70e7057faec1f00a18af597441bdc0da388544110d0a67bdc613e1b3a356bc5a4dad9727e56ac210878060e47d6533bd37bd0c6f32a72de5716a1810e3b11a4e3209d3cf4bf45cba2681ff7c17603f8b15615d8dd6a344e9a51eb77a2ebe7ec39245e7218bdef9722cba59562c1a64244c86fad2b4550ec8be17f5da30c5f1d21678273da0c2d42b0a8f9b4a0c157917d54998841a351950c7299ae4fc3fca3d2efe11cbe7a72959428d84df3e398fc7d813d19713bc91421079c363cf609ef5f0b63a54160cbbdb6b818528fcbb326a65dd58ae9ab8ca4036ab52cade40f7f3d8cbd311804de6813799782d280935eb99249154c4b23acd0ad1089204b52bbef80f254c3bc1aa3c1510cb6796b00f17a9ca4e5dec9fa82663b7e9ecd0173023e60f2cac141ce173f735df8ca57c2c64aeee9dd5c8bf8a1f8c0a290be8f7e8eb2c5dff2f99e2f49a11ca1b9cbafbc297093161e1dfbbecdf6fee6f11c655767bb04718b7a4ee80408db7d15d17149b3f65e5b6489da72f9b87b8dcc3164d4131e0214ea1c4d7cfe85a9734e2099eccdefca2b9df583f8975a157884809a041e6350943c35c473c5093745d4588f9a9a35311ec0ecfabf382b01884183971afb915d0acb3f6dd8f8317754bdda55bc02bbd1b9539f4a5ea84547ee8e3db42eda5771e702f38fd5e4581cd8e1fa0a27fe6bae320f9f26b25d748c6b3422a6ff3dcaf57108ee304204d5bbeaa592026d16816079064ddbeffac5f7a472651883fb61b8564d57ce3fd4ca5256dc54ffe30d27323ae9068417d47a9d77d5e264c7f8d690a70195387f335f882defdc778b2ab5325	SDPProxyClient.exe

Runs .reg file with regedit 3 IoCs

Processes:

regedit.exeregedit.exeregedit.exe

pid process

896 regedit.exe
1448 regedit.exe
5060 regedit.exe

pid	process
896	regedit.exe
1448	regedit.exe
5060	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

UniSDP_20240330SP_20240708V5.3.0.14.exeUniSDPAccessAgent.exeAsMyWish.exeUniSDPAccessAgent.exesysmon.exeUniSDPAccessAgentDaemon.exeunsecapp.exeUniSDPAccessAgentTray.exetaskhostw.exeExplorer.EXEStartMenuExperienceHost.exeSearchApp.exeSDPProxyClient.exeTextInputHost.exemousocoreworker.exeConhost.exe

pid	process
2064	UniSDP_20240330SP_20240708V5.3.0.14.exe
2064	UniSDP_20240330SP_20240708V5.3.0.14.exe
2064	UniSDP_20240330SP_20240708V5.3.0.14.exe
2064	UniSDP_20240330SP_20240708V5.3.0.14.exe
740	UniSDPAccessAgent.exe
740	UniSDPAccessAgent.exe
1816	AsMyWish.exe
1816	AsMyWish.exe
1816	AsMyWish.exe
1816	AsMyWish.exe
3184	UniSDPAccessAgent.exe
3184	UniSDPAccessAgent.exe
3184	UniSDPAccessAgent.exe
3184	UniSDPAccessAgent.exe
3184	UniSDPAccessAgent.exe
3184	UniSDPAccessAgent.exe
3184	UniSDPAccessAgent.exe
3184	UniSDPAccessAgent.exe
2624	sysmon.exe
2624	sysmon.exe
2860	UniSDPAccessAgentDaemon.exe
2860	UniSDPAccessAgentDaemon.exe
3184	UniSDPAccessAgent.exe
3184	UniSDPAccessAgent.exe
2956	unsecapp.exe
2956	unsecapp.exe
2836	UniSDPAccessAgentTray.exe
2836	UniSDPAccessAgentTray.exe
3108	taskhostw.exe
3108	taskhostw.exe
3520	Explorer.EXE
3520	Explorer.EXE
3916	StartMenuExperienceHost.exe
2836	UniSDPAccessAgentTray.exe
2836	UniSDPAccessAgentTray.exe
2836	UniSDPAccessAgentTray.exe
2836	UniSDPAccessAgentTray.exe
3184	UniSDPAccessAgent.exe
3184	UniSDPAccessAgent.exe
3184	UniSDPAccessAgent.exe
3184	UniSDPAccessAgent.exe
3184	UniSDPAccessAgent.exe
3184	UniSDPAccessAgent.exe
3184	UniSDPAccessAgent.exe
3184	UniSDPAccessAgent.exe
2836	UniSDPAccessAgentTray.exe
2836	UniSDPAccessAgentTray.exe
4068	SearchApp.exe
3616	SDPProxyClient.exe
3616	SDPProxyClient.exe
3616	SDPProxyClient.exe
3616	SDPProxyClient.exe
3616	SDPProxyClient.exe
3616	SDPProxyClient.exe
3616	SDPProxyClient.exe
1220	TextInputHost.exe
4396	mousocoreworker.exe
4396	mousocoreworker.exe
3616	SDPProxyClient.exe
3616	SDPProxyClient.exe
592	Conhost.exe
592	Conhost.exe
3616	SDPProxyClient.exe
3616	SDPProxyClient.exe

Suspicious behavior: LoadsDriver 43 IoCs

Processes:

UniSDPAccessAgentDaemon.exeSDPSbieSvc.exeSDPSbieSvc.exeSDPSbieSvc.exeSDPSbieSvc.exeSDPSbieSvc.exeSDPSbieSvc.exeSDPSbieSvc.exeSDPSbieSvc.exeSDPSbieSvc.exeSDPSbieSvc.exeSDPSbieSvc.exeSDPSbieSvc.exeSDPSbieSvc.exeSDPSbieSvc.exeSDPSbieSvc.exeSDPSbieSvc.exeSDPSbieSvc.exeSDPSbieSvc.exeSDPSbieSvc.exeSDPSbieSvc.exeSDPSbieSvc.exeSDPSbieSvc.exeSDPSbieSvc.exeSDPSbieSvc.exeSDPSbieSvc.exeSDPSbieSvc.exeSDPSbieSvc.exeSDPSbieSvc.exeSDPSbieSvc.exe

pid	process
660
2860	UniSDPAccessAgentDaemon.exe
660
2860	UniSDPAccessAgentDaemon.exe
2860	UniSDPAccessAgentDaemon.exe
660
4000	SDPSbieSvc.exe
660
660
4608	SDPSbieSvc.exe
3244	SDPSbieSvc.exe
660
2860	UniSDPAccessAgentDaemon.exe
452	SDPSbieSvc.exe
2416	SDPSbieSvc.exe
808	SDPSbieSvc.exe
4360	SDPSbieSvc.exe
660
1580	SDPSbieSvc.exe
2860	UniSDPAccessAgentDaemon.exe
2212	SDPSbieSvc.exe
1488	SDPSbieSvc.exe
1772	SDPSbieSvc.exe
4812	SDPSbieSvc.exe
4124	SDPSbieSvc.exe
1956	SDPSbieSvc.exe
4204	SDPSbieSvc.exe
400	SDPSbieSvc.exe
1596	SDPSbieSvc.exe
1424	SDPSbieSvc.exe
3764	SDPSbieSvc.exe
2292	SDPSbieSvc.exe
2564	SDPSbieSvc.exe
1424	SDPSbieSvc.exe
660
1324	SDPSbieSvc.exe
2860	UniSDPAccessAgentDaemon.exe
1076	SDPSbieSvc.exe
4372	SDPSbieSvc.exe
208	SDPSbieSvc.exe
2448	SDPSbieSvc.exe
1364	SDPSbieSvc.exe
2620	SDPSbieSvc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

UniSDP_20240330SP_20240708V5.3.0.14.exe7z.exeVienna.exeAsMyWish.exeUniSDPAccessAgentDaemon.exeUniSDPAccessAgent.exeUniSDPAccessAgentTray.exesvchost.exeExplorer.EXESDPCSClient.exeSDPProxyClient.exeSDPProxyClient.exeSDPSbieSvc.exeAsMyWish.exeSDPSbieSvc.exeSDPSbieSvc.exe

description	pid	process
Token: SeDebugPrivilege	2064	UniSDP_20240330SP_20240708V5.3.0.14.exe
Token: SeRestorePrivilege	2004	7z.exe
Token: 35	2004	7z.exe
Token: SeSecurityPrivilege	2004	7z.exe
Token: SeSecurityPrivilege	2004	7z.exe
Token: SeDebugPrivilege	452	Vienna.exe
Token: SeDebugPrivilege	1816	AsMyWish.exe
Token: SeLoadDriverPrivilege	2860	UniSDPAccessAgentDaemon.exe
Token: SeDebugPrivilege	3184	UniSDPAccessAgent.exe
Token: SeCreateGlobalPrivilege	2836	UniSDPAccessAgentTray.exe
Token: SeDebugPrivilege	2836	UniSDPAccessAgentTray.exe
Token: SeBackupPrivilege	2064	UniSDP_20240330SP_20240708V5.3.0.14.exe
Token: SeLoadDriverPrivilege	2860	UniSDPAccessAgentDaemon.exe
Token: SeTcbPrivilege	800	svchost.exe
Token: SeTcbPrivilege	800	svchost.exe
Token: SeTcbPrivilege	800	svchost.exe
Token: SeTcbPrivilege	800	svchost.exe
Token: SeTcbPrivilege	800	svchost.exe
Token: SeDebugPrivilege	2836	UniSDPAccessAgentTray.exe
Token: SeTcbPrivilege	2836	UniSDPAccessAgentTray.exe
Token: SeShutdownPrivilege	3520	Explorer.EXE
Token: SeCreatePagefilePrivilege	3520	Explorer.EXE
Token: SeShutdownPrivilege	3520	Explorer.EXE
Token: SeCreatePagefilePrivilege	3520	Explorer.EXE
Token: SeCreateGlobalPrivilege	4108	SDPCSClient.exe
Token: SeDebugPrivilege	4108	SDPCSClient.exe
Token: SeTcbPrivilege	3184	UniSDPAccessAgent.exe
Token: SeDebugPrivilege	3184	UniSDPAccessAgent.exe
Token: SeDebugPrivilege	3184	UniSDPAccessAgent.exe
Token: SeDebugPrivilege	1876	SDPProxyClient.exe
Token: SeDebugPrivilege	3184	UniSDPAccessAgent.exe
Token: SeDebugPrivilege	3616	SDPProxyClient.exe
Token: SeShutdownPrivilege	3520	Explorer.EXE
Token: SeCreatePagefilePrivilege	3520	Explorer.EXE
Token: SeShutdownPrivilege	3520	Explorer.EXE
Token: SeCreatePagefilePrivilege	3520	Explorer.EXE
Token: SeShutdownPrivilege	3520	Explorer.EXE
Token: SeCreatePagefilePrivilege	3520	Explorer.EXE
Token: SeShutdownPrivilege	3520	Explorer.EXE
Token: SeCreatePagefilePrivilege	3520	Explorer.EXE
Token: SeShutdownPrivilege	3520	Explorer.EXE
Token: SeCreatePagefilePrivilege	3520	Explorer.EXE
Token: SeLoadDriverPrivilege	2860	UniSDPAccessAgentDaemon.exe
Token: SeBackupPrivilege	4000	SDPSbieSvc.exe
Token: SeRestorePrivilege	4000	SDPSbieSvc.exe
Token: SeDebugPrivilege	3616	SDPProxyClient.exe
Token: SeDebugPrivilege	2804	AsMyWish.exe
Token: SeBackupPrivilege	4608	SDPSbieSvc.exe
Token: SeRestorePrivilege	4608	SDPSbieSvc.exe
Token: SeShutdownPrivilege	3520	Explorer.EXE
Token: SeCreatePagefilePrivilege	3520	Explorer.EXE
Token: SeShutdownPrivilege	3520	Explorer.EXE
Token: SeCreatePagefilePrivilege	3520	Explorer.EXE
Token: SeShutdownPrivilege	3520	Explorer.EXE
Token: SeCreatePagefilePrivilege	3520	Explorer.EXE
Token: SeDebugPrivilege	3616	SDPProxyClient.exe
Token: SeBackupPrivilege	3244	SDPSbieSvc.exe
Token: SeRestorePrivilege	3244	SDPSbieSvc.exe
Token: SeTcbPrivilege	3184	UniSDPAccessAgent.exe
Token: SeShutdownPrivilege	3520	Explorer.EXE
Token: SeCreatePagefilePrivilege	3520	Explorer.EXE
Token: SeDebugPrivilege	3616	SDPProxyClient.exe
Token: SeShutdownPrivilege	3520	Explorer.EXE
Token: SeCreatePagefilePrivilege	3520	Explorer.EXE

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

UniSDPAccessAgentTray.exeExplorer.EXEUniSDPAccessAgentTray.exe

pid	process
2836	UniSDPAccessAgentTray.exe
2836	UniSDPAccessAgentTray.exe
3520	Explorer.EXE
3520	Explorer.EXE
1744	UniSDPAccessAgentTray.exe
1744	UniSDPAccessAgentTray.exe
3520	Explorer.EXE
3520	Explorer.EXE
1744	UniSDPAccessAgentTray.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

UniSDPAccessAgentTray.exeUniSDPAccessAgentTray.exe

pid process

2836 UniSDPAccessAgentTray.exe
1744 UniSDPAccessAgentTray.exe
1744 UniSDPAccessAgentTray.exe

Suspicious use of SetWindowsHookEx 35 IoCs

Processes:

TinaiatSDP.exeTinaiatSDP.exeSDPSbieCtrl.exeSDPSbieCtrl.exeTinaiatSDP.exeTinaiatSDP.exeSDPSandBoxUI.exeSDPSbieCtrl.exeSDPSbieCtrl.exeSDPSbieCtrl.exeSDPSbieCtrl.exeSDPSbieCtrl.exeSDPSbieCtrl.exeSDPSbieCtrl.exeSDPSbieCtrl.exeSDPSbieCtrl.exeSDPSbieCtrl.exeSDPSbieCtrl.exeSDPSbieCtrl.exeSDPSbieCtrl.exe

pid	process
1516	TinaiatSDP.exe
3620	TinaiatSDP.exe
3952	SDPSbieCtrl.exe
3952	SDPSbieCtrl.exe
932	SDPSbieCtrl.exe
932	SDPSbieCtrl.exe
4184	TinaiatSDP.exe
1992	TinaiatSDP.exe
4572	SDPSandBoxUI.exe
512	SDPSbieCtrl.exe
512	SDPSbieCtrl.exe
1884	SDPSbieCtrl.exe
1884	SDPSbieCtrl.exe
932	SDPSbieCtrl.exe
932	SDPSbieCtrl.exe
2620	SDPSbieCtrl.exe
2620	SDPSbieCtrl.exe
2212	SDPSbieCtrl.exe
2212	SDPSbieCtrl.exe
4656	SDPSbieCtrl.exe
4656	SDPSbieCtrl.exe
1812	SDPSbieCtrl.exe
1812	SDPSbieCtrl.exe
1208	SDPSbieCtrl.exe
1208	SDPSbieCtrl.exe
1440	SDPSbieCtrl.exe
1440	SDPSbieCtrl.exe
4656	SDPSbieCtrl.exe
4656	SDPSbieCtrl.exe
3540	SDPSbieCtrl.exe
3540	SDPSbieCtrl.exe
4976	SDPSbieCtrl.exe
4976	SDPSbieCtrl.exe
2964	SDPSbieCtrl.exe
2964	SDPSbieCtrl.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

UniSDP_20240330SP_20240708V5.3.0.14.exeFocaccino.exeUniSDPAccessAgent.exeUAAExt.exeAsMyWish.exeUniSDPAccessAgent.exesvchost.exe

description	pid	process	target process
PID 2064 wrote to memory of 2004	2064	UniSDP_20240330SP_20240708V5.3.0.14.exe	7z.exe
PID 2064 wrote to memory of 2004	2064	UniSDP_20240330SP_20240708V5.3.0.14.exe	7z.exe
PID 2064 wrote to memory of 2004	2064	UniSDP_20240330SP_20240708V5.3.0.14.exe	7z.exe
PID 2064 wrote to memory of 3240	2064	UniSDP_20240330SP_20240708V5.3.0.14.exe	UniSDPAccessAgentDaemon.exe
PID 2064 wrote to memory of 3240	2064	UniSDP_20240330SP_20240708V5.3.0.14.exe	UniSDPAccessAgentDaemon.exe
PID 2064 wrote to memory of 4900	2064	UniSDP_20240330SP_20240708V5.3.0.14.exe	Focaccino.exe
PID 2064 wrote to memory of 4900	2064	UniSDP_20240330SP_20240708V5.3.0.14.exe	Focaccino.exe
PID 4900 wrote to memory of 740	4900	Focaccino.exe	UniSDPAccessAgent.exe
PID 4900 wrote to memory of 740	4900	Focaccino.exe	UniSDPAccessAgent.exe
PID 740 wrote to memory of 4944	740	UniSDPAccessAgent.exe	regsvr32.exe
PID 740 wrote to memory of 4944	740	UniSDPAccessAgent.exe	regsvr32.exe
PID 740 wrote to memory of 3996	740	UniSDPAccessAgent.exe	regsvr32.exe
PID 740 wrote to memory of 3996	740	UniSDPAccessAgent.exe	regsvr32.exe
PID 740 wrote to memory of 452	740	UniSDPAccessAgent.exe	Vienna.exe
PID 740 wrote to memory of 452	740	UniSDPAccessAgent.exe	Vienna.exe
PID 740 wrote to memory of 452	740	UniSDPAccessAgent.exe	Vienna.exe
PID 740 wrote to memory of 2696	740	UniSDPAccessAgent.exe	UAAExt.exe
PID 740 wrote to memory of 2696	740	UniSDPAccessAgent.exe	UAAExt.exe
PID 740 wrote to memory of 2260	740	UniSDPAccessAgent.exe	UniSDPAccessAgent.exe
PID 740 wrote to memory of 2260	740	UniSDPAccessAgent.exe	UniSDPAccessAgent.exe
PID 2696 wrote to memory of 812	2696	UAAExt.exe	UAAExt.exe
PID 2696 wrote to memory of 812	2696	UAAExt.exe	UAAExt.exe
PID 740 wrote to memory of 1816	740	UniSDPAccessAgent.exe	AsMyWish.exe
PID 740 wrote to memory of 1816	740	UniSDPAccessAgent.exe	AsMyWish.exe
PID 740 wrote to memory of 4548	740	UniSDPAccessAgent.exe	UniSDPAccessAgent.exe
PID 740 wrote to memory of 4548	740	UniSDPAccessAgent.exe	UniSDPAccessAgent.exe
PID 740 wrote to memory of 4440	740	UniSDPAccessAgent.exe	regsvr32.exe
PID 740 wrote to memory of 4440	740	UniSDPAccessAgent.exe	regsvr32.exe
PID 740 wrote to memory of 1164	740	UniSDPAccessAgent.exe	regsvr32.exe
PID 740 wrote to memory of 1164	740	UniSDPAccessAgent.exe	regsvr32.exe
PID 740 wrote to memory of 5052	740	UniSDPAccessAgent.exe	UAAExt.exe
PID 740 wrote to memory of 5052	740	UniSDPAccessAgent.exe	UAAExt.exe
PID 1816 wrote to memory of 616	1816	AsMyWish.exe	winlogon.exe
PID 1816 wrote to memory of 800	1816	AsMyWish.exe	svchost.exe
PID 1816 wrote to memory of 956	1816	AsMyWish.exe	svchost.exe
PID 1816 wrote to memory of 336	1816	AsMyWish.exe	dwm.exe
PID 1816 wrote to memory of 468	1816	AsMyWish.exe	svchost.exe
PID 3184 wrote to memory of 4672	3184	UniSDPAccessAgent.exe	UAAExt.exe
PID 3184 wrote to memory of 4672	3184	UniSDPAccessAgent.exe	UAAExt.exe
PID 1816 wrote to memory of 64	1816	AsMyWish.exe	svchost.exe
PID 1816 wrote to memory of 1048	1816	AsMyWish.exe	svchost.exe
PID 3184 wrote to memory of 2836	3184	UniSDPAccessAgent.exe	UniSDPAccessAgentTray.exe
PID 3184 wrote to memory of 2836	3184	UniSDPAccessAgent.exe	UniSDPAccessAgentTray.exe
PID 800 wrote to memory of 688	800	svchost.exe	DllHost.exe
PID 800 wrote to memory of 688	800	svchost.exe	DllHost.exe
PID 1816 wrote to memory of 1100	1816	AsMyWish.exe	svchost.exe
PID 1816 wrote to memory of 1128	1816	AsMyWish.exe	svchost.exe
PID 1816 wrote to memory of 1144	1816	AsMyWish.exe	svchost.exe
PID 1816 wrote to memory of 1172	1816	AsMyWish.exe	svchost.exe
PID 1816 wrote to memory of 1296	1816	AsMyWish.exe	svchost.exe
PID 1816 wrote to memory of 1336	1816	AsMyWish.exe	svchost.exe
PID 1816 wrote to memory of 1368	1816	AsMyWish.exe	svchost.exe
PID 1816 wrote to memory of 1384	1816	AsMyWish.exe	svchost.exe
PID 1816 wrote to memory of 1508	1816	AsMyWish.exe	svchost.exe
PID 1816 wrote to memory of 1536	1816	AsMyWish.exe	svchost.exe
PID 1816 wrote to memory of 1548	1816	AsMyWish.exe	svchost.exe
PID 1816 wrote to memory of 1660	1816	AsMyWish.exe	svchost.exe
PID 1816 wrote to memory of 1700	1816	AsMyWish.exe	svchost.exe
PID 1816 wrote to memory of 1752	1816	AsMyWish.exe	svchost.exe
PID 1816 wrote to memory of 1776	1816	AsMyWish.exe	svchost.exe
PID 1816 wrote to memory of 1856	1816	AsMyWish.exe	svchost.exe
PID 1816 wrote to memory of 1972	1816	AsMyWish.exe	svchost.exe
PID 1816 wrote to memory of 1980	1816	AsMyWish.exe	svchost.exe
PID 1816 wrote to memory of 2044	1816	AsMyWish.exe	svchost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Executes dropped EXE
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Executes dropped EXE
  PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:800
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2956
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3828
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3916
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3988
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4068
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4168
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:4156
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3176
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1220
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3508
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  - Checks BIOS information in registry
  - Checks SCSI registry key(s)
  - Enumerates system info in registry
  PID:4044
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4396
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:688
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:1424
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2564
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:1272
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2936
- C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
  2⤵
  PID:60
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3740
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:5064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
- Executes dropped EXE
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
- Executes dropped EXE
PID:468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
- Executes dropped EXE
PID:64

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
- Executes dropped EXE
PID:1048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
- Executes dropped EXE
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1128
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
- Executes dropped EXE
PID:1144

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Executes dropped EXE
- Indicator Removal: Clear Windows Event Logs
- Checks processor information in registry
PID:1172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
- Executes dropped EXE
PID:1296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
- Executes dropped EXE
PID:1336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
- Executes dropped EXE
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
- Executes dropped EXE
PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
- Executes dropped EXE
PID:1508
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:2948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
- Executes dropped EXE
PID:1536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
- Executes dropped EXE
PID:1660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
- Executes dropped EXE
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
- Executes dropped EXE
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
- Executes dropped EXE
PID:1776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Executes dropped EXE
PID:1856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Executes dropped EXE
PID:1980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
- Executes dropped EXE
PID:2044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Executes dropped EXE
PID:1120

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
- Executes dropped EXE
PID:1784

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
- Executes dropped EXE
PID:2104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
- Modifies firewall policy service
- Executes dropped EXE
PID:2168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Executes dropped EXE
PID:2232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
- Executes dropped EXE
PID:2360

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
- Executes dropped EXE
PID:2376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Executes dropped EXE
PID:2548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Executes dropped EXE
PID:2604

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
- Executes dropped EXE
PID:2660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
- Executes dropped EXE
PID:2668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Executes dropped EXE
PID:2988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
- Executes dropped EXE
PID:3096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
- Executes dropped EXE
PID:3424

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3520
- C:\Users\Admin\AppData\Local\Temp\UniSDP_20240330SP_20240708V5.3.0.14.exe
  "C:\Users\Admin\AppData\Local\Temp\UniSDP_20240330SP_20240708V5.3.0.14.exe"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Users\Admin\AppData\Local\Temp\UniSDP_20240330SP_20240708V5.3.0.14\7z.exe
    "C:\Users\Admin\AppData\Local\Temp\UniSDP_20240330SP_20240708V5.3.0.14\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\UniSDP_20240330SP_20240708V5.3.0.14\Install.7z" -o"C:\Users\Admin\AppData\Local\Temp\UniSDP_20240330SP_20240708V5.3.0.14\Install" -y
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- - C:\Windows\LVUAAgentSDPInstBaseRoot\UniSDPAccessAgentDaemon.exe
    "C:\Windows\LVUAAgentSDPInstBaseRoot\UniSDPAccessAgentDaemon.exe" -i
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    PID:3240
- - C:\Windows\LVUAAgentSDPInstBaseRoot\Focaccino.exe
    "C:\Windows\LVUAAgentSDPInstBaseRoot\Focaccino.exe" --pre_inst
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4900
  - - C:\Windows\LVUAAgentSDPInstBaseRoot\UniSDPAccessAgent.exe
      C:\Windows\LVUAAgentSDPInstBaseRoot\UniSDPAccessAgent.exe --unisoft_instance
      4⤵
      Sets service image path in registry
      Executes dropped EXE
      Impair Defenses: Safe Mode Boot
      Loads dropped DLL
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:740
    - - C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\LVUAAgentSDPInstBaseRoot\system32\CarnegieHallShellCore.dll
        5⤵
        
        PID:4944
    - - C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\SysWOW64\CarnegieHallShellCore.dll
        5⤵
        
        PID:3996
    - - C:\Windows\LVUAAgentSDPInstBaseRoot\32\Vienna.exe
        
        C:\Windows\LVUAAgentSDPInstBaseRoot\32\Vienna.exe -GetComputerID
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:452
    - - C:\Windows\LVUAAgentSDPInstBaseRoot\UAAExt.exe
        
        C:\Windows\LVUAAgentSDPInstBaseRoot\UAAExt.exe --unisoftetc -ins_init_dll
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Windows\LVUAAgentSDPInstBaseRoot\UAAExt.exe
        
        C:\Windows\LVUAAgentSDPInstBaseRoot\UAAExt.exe --unisoftetc -ins_init_dll2
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:812
    - - C:\Windows\LVUAAgentSDPInstBaseRoot\UniSDPAccessAgent.exe
        
        UniSDPAccessAgent.exe -i
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2260
    - - C:\Windows\LVUAAgentSDPInstBaseRoot\AsMyWish.exe
        
        C:\Windows\LVUAAgentSDPInstBaseRoot\AsMyWish.exe leagsoft
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1816
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:592
      - C:\Windows\LVUAAgentSDPInstBaseRoot\32\AsMyWish.exe
        
        C:\Windows\LVUAAgentSDPInstBaseRoot\32\AsMyWish.exe leagsoft
        6⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
    - - C:\Windows\LVUAAgentSDPInstBaseRoot\UniSDPAccessAgent.exe
        
        UniSDPAccessAgent.exe -s
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:4548
    - - C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\LVUAAgentSDPInstBaseRoot\system32\MiRobotic.dll
        5⤵
        
        PID:4440
    - - C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\LVUAAgentSDPInstBaseRoot\SysWOW64\MiRobotic.dll
        5⤵
        
        PID:1164
    - - C:\Windows\LVUAAgentSDPInstBaseRoot\UAAExt.exe
        
        C:\Windows\LVUAAgentSDPInstBaseRoot\UAAExt.exe --unisoftetc -cleankbreg
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Executes dropped EXE
PID:3636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4724

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4816

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2028

C:\Windows\LVUAAgentSDPInstBaseRoot\UniSDPAccessAgent.exe
"C:\Windows\LVUAAgentSDPInstBaseRoot\UniSDPAccessAgent.exe"
1⤵
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Windows\LVUAAgentSDPInstBaseRoot\UAAExt.exe
  C:\Windows\LVUAAgentSDPInstBaseRoot\UAAExt.exe --unisoftetc -icf agentremote
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\LVUAAgentSDPInstBaseRoot\UniSDPAccessAgentTray.exe
  C:\Windows\LVUAAgentSDPInstBaseRoot\UniSDPAccessAgentTray.exe -hide
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2836
- - C:\Windows\LVUAAgentSDPInstBaseRoot\TinaiatSDP.exe
    C:\Windows\LVUAAgentSDPInstBaseRoot\TinaiatSDP.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1516
- - C:\Windows\LVUAAgentSDPInstBaseRoot\32\TinaiatSDP.exe
    C:\Windows\LVUAAgentSDPInstBaseRoot\32\TinaiatSDP.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3620
- - C:\Windows\LVUAAgentSDPInstBaseRoot\SDPCSClient.exe
    C:\Windows\LVUAAgentSDPInstBaseRoot\SDPCSClient.exe
    3⤵
    - Executes dropped EXE
    PID:2828
- - C:\Windows\LVUAAgentSDPInstBaseRoot\SDPCSClient.exe
    "C:\Windows\LVUAAgentSDPInstBaseRoot\SDPCSClient.exe" --SPA
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4108
- C:\Windows\LVUAAgentSDPInstBaseRoot\SDPProxyClient.exe
  C:\Windows\LVUAAgentSDPInstBaseRoot\SDPProxyClient.exe install
  2⤵
  - Sets service image path in registry
  - Impair Defenses: Safe Mode Boot
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:1876
- - C:\Windows\SYSTEM32\regsvr32.exe
    regsvr32.exe /s C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\ExportMenu.dll
    3⤵
    - Modifies registry class
    PID:2216
- C:\Windows\LVUAAgentSDPInstBaseRoot\SDPProxyClient.exe
  C:\Windows\LVUAAgentSDPInstBaseRoot\SDPProxyClient.exe
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3616
- - C:\Windows\LVUAAgentSDPInstBaseRoot\SDPNSPInstaller.exe
    "C:\Windows\LVUAAgentSDPInstBaseRoot\SDPNSPInstaller.exe" install
    3⤵
    - Modifies data under HKEY_USERS
    PID:2080
  - - C:\Windows\regedit.exe
      "C:\Windows\regedit.exe" /e "C:\Windows\LVUAAgentSDPInstBaseRoot\public\NameSpace_Catalog5_BAK.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5"
      4⤵
      Runs .reg file with regedit
      PID:896
- - C:\Windows\LVUAAgentSDPInstBaseRoot\32\SDPNSPInstaller.exe
    "C:\Windows\LVUAAgentSDPInstBaseRoot\32\SDPNSPInstaller.exe" install
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    PID:1492
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\System32\regedit.exe" /e "C:\Windows\LVUAAgentSDPInstBaseRoot\32\public\NameSpace_Catalog5_BAK.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5"
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:1448
- - C:\Windows\SYSTEM32\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:3944
- - C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieCtrl.exe
    C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieCtrl.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3952
- - C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieCtrl.exe
    C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieCtrl.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:932
- - C:\Windows\regedit.exe
    regedit.exe -s C:\Windows\LVUAAgentSDPInstBaseRoot\public\win10.reg
    3⤵
    - Modifies registry class
    - Runs .reg file with regedit
    PID:5060
- - C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieCtrl.exe
    C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieCtrl.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:512
- - C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieCtrl.exe
    C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieCtrl.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1884
- - C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieCtrl.exe
    C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieCtrl.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:932
- - C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieCtrl.exe
    C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieCtrl.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2620
- - C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieCtrl.exe
    C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieCtrl.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2212
- - C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieCtrl.exe
    C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieCtrl.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4656
- - C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieCtrl.exe
    C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieCtrl.exe
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1812
- - C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieCtrl.exe
    C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieCtrl.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1208
- - C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieCtrl.exe
    C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieCtrl.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1440
- - C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieCtrl.exe
    C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieCtrl.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4656
- - C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieCtrl.exe
    C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieCtrl.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3540
- - C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieCtrl.exe
    C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieCtrl.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4976
- - C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieCtrl.exe
    C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieCtrl.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2964
- C:\Windows\LVUAAgentSDPInstBaseRoot\UAAExt.exe
  C:\Windows\LVUAAgentSDPInstBaseRoot\UAAExt.exe --unisoftetc -ins_init_dll
  2⤵
  PID:1056
- - C:\Windows\LVUAAgentSDPInstBaseRoot\UAAExt.exe
    C:\Windows\LVUAAgentSDPInstBaseRoot\UAAExt.exe --unisoftetc -ins_init_dll2
    3⤵
    PID:4616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell confirm-securebootuefi
  2⤵
  PID:4656
- C:\Windows\SYSTEM32\regsvr32.exe
  regsvr32.exe /s /u C:\Windows\LVUAAgentSDPInstBaseRoot\system32\MiRoboticIE.dll
  2⤵
  PID:1428
- C:\Windows\SYSTEM32\regsvr32.exe
  regsvr32.exe /s /u C:\Windows\LVUAAgentSDPInstBaseRoot\SysWOW64\MiRoboticIE.dll
  2⤵
  PID:4608
- C:\Windows\LVUAAgentSDPInstBaseRoot\UAAExt.exe
  C:\Windows\LVUAAgentSDPInstBaseRoot\UAAExt.exe --unisoftetc -icf agentremote
  2⤵
  PID:60
- C:\Windows\LVUAAgentSDPInstBaseRoot\UniSDPAccessAgentTray.exe
  C:\Windows\LVUAAgentSDPInstBaseRoot\UniSDPAccessAgentTray.exe -hide
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1744
- - C:\Windows\LVUAAgentSDPInstBaseRoot\TinaiatSDP.exe
    C:\Windows\LVUAAgentSDPInstBaseRoot\TinaiatSDP.exe
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:4184
- - C:\Windows\LVUAAgentSDPInstBaseRoot\32\TinaiatSDP.exe
    C:\Windows\LVUAAgentSDPInstBaseRoot\32\TinaiatSDP.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1992
- - C:\Windows\LVUAAgentSDPInstBaseRoot\SDPCSClient.exe
    C:\Windows\LVUAAgentSDPInstBaseRoot\SDPCSClient.exe
    3⤵
    PID:3124
- - C:\Windows\LVUAAgentSDPInstBaseRoot\SDPCSClient.exe
    "C:\Windows\LVUAAgentSDPInstBaseRoot\SDPCSClient.exe" --SPA
    3⤵
    PID:2804
  - - C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSandBoxUI.exe
      C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSandBoxUI.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4572
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 684
        5⤵
        Program crash
        
        PID:3352

C:\Windows\LVUAAgentSDPInstBaseRoot\UniSDPAccessAgentDaemon.exe
"C:\Windows\LVUAAgentSDPInstBaseRoot\UniSDPAccessAgentDaemon.exe"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
1⤵
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
1⤵
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
1⤵
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4572 -ip 4572
1⤵
PID:3764

C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
1⤵
- Suspicious behavior: LoadsDriver
PID:452

C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
1⤵
- Suspicious behavior: LoadsDriver
PID:2416

C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
1⤵
- Suspicious behavior: LoadsDriver
PID:808

C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
1⤵
- Suspicious behavior: LoadsDriver
PID:4360

C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
1⤵
- Suspicious behavior: LoadsDriver
PID:1580

C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
1⤵
- Suspicious behavior: LoadsDriver
PID:2212

C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
1⤵
- Suspicious behavior: LoadsDriver
PID:1488

C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
1⤵
- Suspicious behavior: LoadsDriver
PID:1772

C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
1⤵
- Suspicious behavior: LoadsDriver
PID:4812

C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
1⤵
- Suspicious behavior: LoadsDriver
PID:4124

C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
1⤵
- Suspicious behavior: LoadsDriver
PID:1956

C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
1⤵
- Suspicious behavior: LoadsDriver
PID:4204

C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
1⤵
- Suspicious behavior: LoadsDriver
PID:400

C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
1⤵
- Suspicious behavior: LoadsDriver
PID:1596

C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
1⤵
- Suspicious behavior: LoadsDriver
PID:1424

C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
1⤵
- Suspicious behavior: LoadsDriver
PID:3764

C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
1⤵
- Suspicious behavior: LoadsDriver
PID:2292

C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
1⤵
- Suspicious behavior: LoadsDriver
PID:2564

C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
1⤵
- Suspicious behavior: LoadsDriver
PID:1424

C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
1⤵
- Suspicious behavior: LoadsDriver
PID:1324

C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
1⤵
- Suspicious behavior: LoadsDriver
PID:1076

C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
1⤵
- Suspicious behavior: LoadsDriver
PID:4372

C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
1⤵
- Suspicious behavior: LoadsDriver
PID:208

C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
1⤵
- Suspicious behavior: LoadsDriver
PID:2448

C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
1⤵
- Suspicious behavior: LoadsDriver
PID:1364

C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
C:\Windows\LVUAAgentSDPInstBaseRoot\safebox\SDPSbieSvc.exe
1⤵
- Suspicious behavior: LoadsDriver
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Component Object Model Hijacking

T1546.015

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Component Object Model Hijacking

T1546.015

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Safe Mode Boot

T1562.009

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery