exorcist | dfecb46078038bcfa9d0b8db18bdc0646f33bad55ee7dd5ee46e61c6cf399620

Analysis

max time kernel
244s
max time network
242s
platform
windows7_x64
resource
win7v200722
submitted
30-09-2020 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

68KB
MD5

9e5c89c84cdbf460fc6857c4e32dafdf
SHA1

ee0a95846ce48c59261eda0fdd6b38dfc83d9f4d
SHA256

dfecb46078038bcfa9d0b8db18bdc0646f33bad55ee7dd5ee46e61c6cf399620
SHA512

6da517ae5159ebcb0ac138b34215924fb21adae619c3c15ede6863866648e445633f482b2beaddbe74de66b48e18d106dbde3253ee2d3ce86da667f7f8494cd8

Score

10^/10

ransomware exorcist persistence

Malware Config

Signatures

Exorcist Ransomware
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
ransomware exorcist
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	Setup.exe
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-18\desktop.ini	Setup.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	Setup.exe
File opened (read-only)	\??\N:	Setup.exe
File opened (read-only)	\??\L:	Setup.exe
File opened (read-only)	\??\K:	Setup.exe
File opened (read-only)	\??\I:	Setup.exe
File opened (read-only)	\??\F:	Setup.exe
File opened (read-only)	\??\B:	Setup.exe
File opened (read-only)	\??\Y:	Setup.exe
File opened (read-only)	\??\S:	Setup.exe
File opened (read-only)	\??\P:	Setup.exe
File opened (read-only)	\??\H:	Setup.exe
File opened (read-only)	\??\A:	Setup.exe
File opened (read-only)	\??\W:	Setup.exe
File opened (read-only)	\??\R:	Setup.exe
File opened (read-only)	\??\O:	Setup.exe
File opened (read-only)	\??\M:	Setup.exe
File opened (read-only)	\??\J:	Setup.exe
File opened (read-only)	\??\G:	Setup.exe
File opened (read-only)	\??\D:	Setup.exe
File opened (read-only)	\??\Z:	Setup.exe
File opened (read-only)	\??\X:	Setup.exe
File opened (read-only)	\??\U:	Setup.exe
File opened (read-only)	\??\T:	Setup.exe
File opened (read-only)	\??\Q:	Setup.exe
File opened (read-only)	\??\E:	Setup.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1896	vssadmin.exe

Modifies data under HKEY_USERS 227 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0043006c0065006100720053007400650070002e0064006f007400780000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 97b397c7e5cfa077b7a735b93574de92d1cc2edc02ac54885b7ee9dc08b9f36b	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = e9176852d581a52cab6244ea53cdc1c433d2a9b3d6690ae6d7bb2ed71ff39707	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = e99b1dbee5835d2c1e6c6aee072c9e2cccc00d180b7b914e6504cfd6bb12d491	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0049006e0069007400690061006c0069007a00650055006e006c006f0063006b002e0064006f007400780000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 41a92b0e4b539ac81929610e6d01a223877bce46f16bf608d14c0fe7a10e3f40	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 16e4ab9deb83149e4d9dbce8abe3fbb0ead202e42b7d93cf9bc5846496d8b8f6	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 2eeb5c7fcc61383d0ff52cd4ce426b29d7f016289e46d0c644a7f2666373f0fb	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0055006e007000750062006c00690073006800530065006c006500630074002e006d003100760000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 90879ff0669c41e3aaa08333e08626735be5f1169ca81205153d7f63d20107c1	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = cab29b97a28fd9f492fd89b970bd2d0a853b040b4930c15a05c7e2a07ccb0a1f	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c005200650063006500690076006500530074006100720074002e0070006f0074006d0000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0043006f006e00740061006300740073005c00410064006d0069006e002e0063006f006e00740061006300740000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 62a0622840004f4171f78559e0e48be418099518e00267df3486cf4f6ed2414a	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 0ea8f35fe456bc9ad1a41b71f60431f151208a4ed295db9615fc8f530de49ecf	Setup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}\WpadNetworkName = "Network"	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = cc639a7782bf54d7c92002221b07904201a792ae8778c2527cb58487decc71a8	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = be03917e8b71fdee4bf7d3e1cf67b9390f79760eb5a5abf105aedbe63e5d8861	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0041006400640057006100690074002e0070006f0074006d0000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = c50dc69ec4c4367b89b8f4d6c2e5be57767222f4840a3545dce80f90d09a6011	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = a6c1d8affe2bbb6583ffeecca83545213848c7e1cab4557f168aec8d314935cb	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00610066003300350064006400610034002d0063006300340038002d0031003100650061002d0062003300350036002d003800300036006500360066003600650036003900360033007d0000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c005200650063006f0076006500720079005c00300035003100620065003100380032002d0063006300350031002d0031003100650061002d0061006300310033002d003400360066003800610037003600300030006500620065005c0062006f006f0074002e0073006400690000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 6f26c4963b17868ff366ae8717ab21c2ef06cdf1691d0a33c3014271ed0adb10	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 79c46bdc83ac04e04f783d05ca62eb325ea19979677406094d006e0297a411c8	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 3a2600a45241586cb765070b453d4abbf96145ed0da72eb54bff4a279aff2fd7	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0052006500730075006d00650052006500730074006f00720065002e00760073007300780000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = f5064a471e4a53a5d18a0124862c85fa9bccded9e69efe90890fbdcd0d131a13	Setup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = e2fedd6d9549ea978f003aefed2d883d380c609546d454d3f1638ae73fd9f3d8	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0053006b00690070005000750062006c006900730068002e006a007000670000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = c30c63c2c30ae1ae3f3b0cf897012e9b1b591d6d6ca65a66c2d52ff67a73e9d3	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = a1bb31a61d5daf6aba75f7a8edda039cd9524511b33c50941b1615eeac2424d0	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = b7bb39591ad5ae0e1bbab120d2949e3354269947f372da7565b79ef78348d62b	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = fcee67ac81a9192ecce3de256d50900b8cb5f9e4812a979cc30a075b86457e19	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 6cd5f3769530f1c839ad2cb8aaacd674ca8369666a5a630e432d9a86d71b4f3b	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c00530074006f0070004a006f0069006e002e0069006e00660000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0049006e007300740061006c006c0046006f0072006d00610074002e0078006c007400780000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0052006500630065006e0074006c0079002e0064006f006300780000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 5d6b5bfb9931154b1338b9af15478a606523edac8d892fc838b9d68053c9db78	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 70153f8d75e1f41bf42e2e80f2ddb59807c46bb68d39ad626adda536f185e517	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = de3fbc30372043165694b51b21a67f777ac9cbbb1bd23a753e51189b7ecf3750	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 95a75317804fab9e4be2fa7fa4a4629dc93315988b8c41752da9e661761c3411	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}\WpadDecisionTime = 708b95373797d601	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 57a22a4dc3f13637fb6811252d77f8ee484300bde1bdbcce9a7c631e0585e4f0	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = c29e19df0f716a7c39d130675ba7c8ec7c6ce80fdcafce760aa8a17c1d24441d	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 99c0b9ef3cb9776ca53df01a49e9c0a0ed13e397712b36f6c7bd486efafb19e4	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0045007800700061006e0064004500780070006f00720074002e00330067007000320000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 15c431031f31f6379cd241e3bc9b50fcbdbcc1e458ec2ab603c1279358881446	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = d71cf2d86d4e2d0ab545a5b64590883b4fb8f1fbbe79b0359b4c3c93afff95da	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 868e2dc0ca8416215aa4c27b6588eac0b1f3392223f6e7adf0e0b9dffd1e6999	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c005200650076006f006b00650049006d0070006f00720074002e0041004100430000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = c25ae54e8db12e8c89d2746e13d1ab48d4fd71650a3d64680dc629b4b52cce51	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 25c5c807657ad6ada6c03afbf44bbf7d9eedf0af8f049f90db0c2b594c9caae5	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = da8bf523dedfc7d44e42faf8a8224b8f2f71494aaffa5db217be42a5b738161c	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0049006e0069007400690061006c0069007a00650046006f0072006d00610074002e00700070007300780000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0052006500610064005500700064006100740065002e006f006400700000000000	Setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{af35dda4-cc48-11ea-b356-806e6f6e6963}\MaxCapacity = "15140"	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	Setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 708b95373797d601	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 5c48a799cb45ca1fec0572ec6f5e4729044f425c4ca0f545fedbe8314db7921c	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = e888bc2daf27b28389ac9ada771c8cc99a0c426dc6cbf50881046f9c067a142a	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0041006400640055006e00720065006700690073007400650072002e0078007000730000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = ff357b83dbe3903ff1ef3354b10e7ffad90641240508e3c565aac730baf6f196	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 9ce03faa1142e39f326c1f4ba126d04d422c1127bb2d5b5b455abd49fa7f9a15	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 97e67f63dabc31dda4e4fa7b034426385859912d8d292d66a7cea97f89e3944e	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}\WpadDecisionTime = 704819513797d601	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 338ee86d788afa08be54a56adf64e1fbd1dd36717001e750dac27ee9d810930c	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = a71af71f5920a3911cce550deeba1159bf987f95345d3588663a8736fcc4bb75	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 59cbdb18f6218cd599627b50c2aa1b8d22cd8c5abc2ccca1a7d40111737155cf	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c00530065006c0065006300740046006f0072006d00610074002e00680074006d0000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 70a7363fcc625f457c391be3de4b5d9632ee61676f8e7d1a498e5e706f709dcf	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0053006b00690070005300750062006d00690074002e00700070007400780000000000	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{af35dda3-cc48-11ea-b356-806e6f6e6963}	Setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 1f46ca93a9b3bf3609152e474234155e156f9dbcf29d5e191d019ea379e5b99d	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 1d53febbbc5f0d9b02617bfe0afb7602a6e2c985b97057c450943d97fff143c3	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c00440069007300610062006c0065005200650073006f006c00760065002e00610069006600630000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c004c0069006d0069007400530068006f0077002e0078006c007300620000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0053006100760065005200650073006f006c00760065002e0070006400660000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 778cd7144306b0a7933c364f5c3c0c3da761497bfe608089ce930077618cb180	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 3492a704110ecd4c4924ce0e751057d98899f7cb4da6d3c702070305fcff80bb	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 0292e6922a8e1a943dabd82380beeeb6a407e23ab3fbac6ae39a72b47a8e0701	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 5b249bd11fe18dba4c1c2c765704bd4183bf0fdd0dc21a266c96133476f07257	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 4ba3ab226f9506d7a2ca617b45e8524471747ef90df3fb5abbd0cef1f20d0d97	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = b8892665368bc2fa17e1e317a05ca0e4991d4601f45ba7bc4cdf5c17a166df28	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0053006500610072006300680052006500730074006100720074002e006f006400740000000000	Setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{af35dda4-cc48-11ea-b356-806e6f6e6963}\NukeOnDelete = "0"	Setup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Setup.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = af313958c629457d1f5010c5cd5f093767e8de7d5e89b5e5d855a6270abf5557	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 4deafd2c06f55c681afa10b8735b57a3c5820f56035d53b193cd171b4ad6d774	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0053007400610072007400500072006f0074006500630074002e0077007000730000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = dba05c9be414257e498a606f7a189231d5bb82c0b2c235dbf419984b190e1297	Setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{af35dda3-cc48-11ea-b356-806e6f6e6963}\NukeOnDelete = "0"	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Owner = ec0200006082a2b03797d601	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c006400650070006c006f0079006d0065006e0074002e00700072006f00700065007200740069006500730000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0049006d0070006f00720074004700650074002e004d003200540000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0052006500730069007a00650041007000700072006f00760065002e006d0070006500670000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 9ee946ccb3981b8db6a2e6fe45dbeb48490a1e182493306052ffb5c4bab9b25b	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 8a75c9de20efca04337f574496a2aab2d5ad460f2eba7f753f49240837eeed25	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	Setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence = "1"	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 2625dc2f4ccf1cef79e9eefff7136b7e64a7114ed1f8610c69f2d2f2033b30e3	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = c68d0ad7d25751a2560aec7a820a57091e180a97c4018c4a79c91969b89d5505	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 8999d0d1d81a0119d35b4ef359a2d437fef9ef2b74b8c2887b1b9006d4b343f4	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 351694dc51e4ce6be0065cfc995bc002108ce9f8040c26f75c258c36ef7de622	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 396e3ef25d278c9577f07853c1335d783b0d35f74d3b727c407422279bd9b51d	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0041007000700072006f007600650043006c006f00730065002e007600730074006d0000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 524c5427a4cc7772a648e9b2348864eaf6927a6793a04f776901dd06aea0f4c1	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = a8109fadd6657dca6d6953609e7d80435da444cf7c0ec316de3d2abb20368dc0	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = bae852da419bd942d1b825ee0bec34937c4c8ba38001ca314ec1a4a934d7badc	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 7ea7dc1a1733713f6e4b76bf15c4e9223811a407fb303c353f25de4d29a8454a	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = e9bbaf9ea12245ff60752e6b5aec0a3d2b8cd4dfa978afa1348949d1fb0914fa	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c004500780069007400530074006f0070002e00680074006d0000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c005000750062006c00690073006800460069006e0064002e006f006400700000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c00530074006f0070004a006f0069006e002e007600730074006d0000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = aa041a28804e8f000ce043232edb9ddb6ead7c4edc3115f491c1fa7145ff9dfa	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c004c0069006d006900740049006e007300740061006c006c002e0078006c007300780000000000	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 67d0ed21da7662cbb833159188e012c39f7c919ebaf006101b110bd15ef95775	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c004f007500740052006500730074006100720074002e0070006f0074006d0000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0049006e0069007400690061006c0069007a0065005000750062006c006900730068002e0078006d006c0000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 6158d3beb82b544f7e16644431528017fe92e4b98bfb1686d94cb412fc627519	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c005200650064006f0045006e00610062006c0065002e006f006400740000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = bdd5668c6e238f288c6c77ec7fc367dcde61f23ad6e03f141670d9c64305cf02	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 610469f0fa0b22d80911646c832ba8559a0a784a637ed159154d1257140dc7d9	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0050007500730068005200650064006f002e0064006f0063006d0000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = eaabb67a44110e34b3b619cf6f1617ef73c01d014ef01ba3deaed7b6300288c1	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c00520065006100640043006f006e007600650072007400460072006f006d002e0076007300740000000000	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 2894e43ac58370c28038201a5aa3e37a232e4aa41b313d1fe5989a578dfeffd4	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c004f00700065006e00650064002e0064006f006300780000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 79dd0b7c498ec3470644efd16dae1fb4c79a2accdd45b4732d0c850760ad832c	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 53623da01a16100951ff6d0fd86e27ec178d9c3ac2cf3cf45875c93874dc654c	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0042006c006f0063006b005000750062006c006900730068002e006f006400700000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 797dfa7b21693b0dcd416eae09c4010aa228f499816124a3bc31652be7399f58	Setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 34e1ea9d3f45d96f19c2d851d1052e0810ccd4989572a6d3ef202afbb2f99ea7	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c004d006f0075006e00740055006e00700072006f0074006500630074002e007600730064006d0000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c00520065006e0061006d00650055006e00720065006700690073007400650072002e0064006f00740000000000	Setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}\WpadDecision = "0"	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 5aa9f6965c2ddaa9f7364391f7a5c6949ca57a7c5753db2c10cd0ca923c869a0	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 3a959a7ec7ae575002811a7307c4244d52cedc7d49a033c4c78265006ff53e0b	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 9586987455cf5eaeb42a322b41a9589a7222e2c270eb06e30119ced3e323a721	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 1557be9309da156d3861efaf89ff24f8fe68b58b01a3c5500b52c8a13282f8ac	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c004e006500770043006f006d0070006100720065002e0078006c00610000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 75792b18aa38ae3505f34419a66c4085b0208db192ca515f2d08099999e3ab10	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0041007000700072006f0076006500460069006e0064002e0070006f007400780000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 8537fdbc8be35dc7f7192991d272f4bd25bed2dd86e53b6dcf715ed365b2d898	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	Setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = d4961eebb318e2fc2e67deb6aa245d338964b337ffbcebd725ffb4c56dd232cd	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = a3168bdec7b1ae757c8d129d47a2aa49ba5b771debc616c99c5e83b5d82d84f7	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 725d308e9c515294b8abaa8c1dc5a8e91daece1151831a3dc5b15bca341c5d85	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0043006f006d0070006100720065004700720061006e0074002e006a007400780000000000	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0043006f00700079005500730065002e0070006f007400780000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c00460069006c00650073002e0064006f006300780000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c004f00700065006e005200650064006f002e007600730073006d0000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 83546797bdfaeb5c0ef88c4b586d21122246409e9fca62b30c26c881ec075577	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 8891d3254493deb8021c0e7424830d6e4dae1d8f60dd8f986e9e59e53fb01ff6	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 370d85eaaaf0e9988ff88b4fe20f7dcfc163962da83598dc5cef8537e28403f8	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 4c02ff01a8f77a5082063acb751639528032aaed825d12b836eb15d21c1491d8	Setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}\WpadDecisionReason = "1"	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0049006d0070006f0072007400470072006f00750070002e007000700074006d0000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 78cab0a7d6535388495284c45c79f942febf164ac2b3ba7b39c2f5aab88049cb	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = f056c44765599b77701b072df8161612c631f4acb9506f64184b77c1e3621f76	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 0e8e861765dedf13c1fd5cf6d1b8861bd040ee48d8083d35b36f3c6ac6c6f794	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 1097331e7ec66f7486a49bfbed00211a936a0fb0b15d8248a341552d905bcd7b	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = cccb5b8d3d6a64b4cd2a41facdd9d4f4cf5872827698b33685bb5aceb255ec00	Setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{af35dda3-cc48-11ea-b356-806e6f6e6963}\MaxCapacity = "29"	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c00530065007400570061007400630068002e006f007400660000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c004100720065002e0064006f006300780000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = bb0da314ab0934b863e13e14c85bb2a75b799bf10e9ca56384fc14f6f86bea12	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}\32-e2-17-db-d2-77	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = b0dbcdf2c9380b381b3e98cb708b8d8f059a0a1ce5a2f1fa8639fd32bb115b75	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0055007000640061007400650049006e0069007400690061006c0069007a0065002e007600730073006d0000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 3ed553bb8fc40b4a5c3daae48a49f648c9e2d57995b0209fdcf5f1ae50bcf867	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c004e00650077004f00700065006e002e0076007300780000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 41ae31b743c89a2b609fe6b967e3520d9768bad43308660d65e30a5a8fc19b8d	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 06825076bb7311209abdcdfc702f626d51b4541562bf30f663e1b029e856725f	Setup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDetectedUrl	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c005200650063006f0076006500720079005c00300035003100620065003100380032002d0063006300350031002d0031003100650061002d0061006300310033002d003400360066003800610037003600300030006500620065005c00570069006e00720065002e00770069006d0000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c004f00750074005200650064006f002e00680074006d0000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c004f00700065006e0053007400650070002e0064006f00740000000000	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = bfa9fc2c173f8495508c239d1e0cc1828df9a158864dfba0f21c4b16c27bc395	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = cb753796c17e4d7d95d84494102c93e6a20cceb280387d400fa07e28ccb23ffd	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = ef72c53add2686dea07fc4f56f8bd28aa0f612266a49199518dca7d3a5b17ca9	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 7a13111946a93f132886faff599ab4437c61079aa828130011f20c2ad33f68df	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{af35dda4-cc48-11ea-b356-806e6f6e6963}	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c004200610063006b007500700055006e0062006c006f0063006b002e006a00730000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0043006f006e00760065007200740052006500710075006500730074002e006d003300750000000000	Setup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 86daca9266c3b41fedbb09f8703c364d48628d9a97a2bf13a2bf15b6e4277da0	Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	Setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy = "1"	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 45ce1e207dd0de3d4bb4e3099cfa1f11635f3c01619d87b8ba4d28d201121101	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = dd0b8d18dac5a06812bea77f47f49381eb4b012c6234846409c8439ccb9bd636	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = b6ffbbc810e730716dff8bcc934dcaf9b1ee5b313869ef559191d62c4dd5da37	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 100ad9fc9c237201cb6eb1114bb264f88406990fc11f112b8f46211a28e7daef	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 331980e8fcea82676bb79e134a58c4b373df9ab42311dd68876d6cd07531d7a3	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c004d006f007600650053006100760065002e0077006100780000000000	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 2231c4906176853590f69fa7b4ca4c1c95f718799a15740d7649712af28b2a82	Setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 704819513797d601	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 40d6290a778302343e731ae4790664bc156caf462b61748973198d1f53b4ed35	Setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = d81a394dc42b9d3f5d5947c433bd9e38b55042a519a11865001555b3e5aa62fb	Setup.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\47TJ4Z\windows.sys:dhpkxqkdun	Setup.exe
File created	C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\bGMJEE\windows.sys:qvqhfjkvnrdtqgtt	Setup.exe
File created	C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\47TJ4Z\windows.sys:dhpkxqkdun	Setup.exe
File created	C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\SITvts\windows.sys:qxoyhxveerelbnrwg	Setup.exe

Suspicious behavior: EnumeratesProcesses 1312 IoCs

pid	Process
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe
748	Setup.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	748	Setup.exe
Token: SeRestorePrivilege	748	Setup.exe
Token: SeDebugPrivilege	748	Setup.exe
Token: SeSecurityPrivilege	748	Setup.exe
Token: SeRestorePrivilege	748	Setup.exe
Token: SeDebugPrivilege	748	Setup.exe
Token: SeBackupPrivilege	1932	vssvc.exe
Token: SeRestorePrivilege	1932	vssvc.exe
Token: SeAuditPrivilege	1932	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1752	WMIC.exe
Token: SeSecurityPrivilege	1752	WMIC.exe
Token: SeTakeOwnershipPrivilege	1752	WMIC.exe
Token: SeLoadDriverPrivilege	1752	WMIC.exe
Token: SeSystemProfilePrivilege	1752	WMIC.exe
Token: SeSystemtimePrivilege	1752	WMIC.exe
Token: SeProfSingleProcessPrivilege	1752	WMIC.exe
Token: SeIncBasePriorityPrivilege	1752	WMIC.exe
Token: SeCreatePagefilePrivilege	1752	WMIC.exe
Token: SeBackupPrivilege	1752	WMIC.exe
Token: SeRestorePrivilege	1752	WMIC.exe
Token: SeShutdownPrivilege	1752	WMIC.exe
Token: SeDebugPrivilege	1752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1752	WMIC.exe
Token: SeRemoteShutdownPrivilege	1752	WMIC.exe
Token: SeUndockPrivilege	1752	WMIC.exe
Token: SeManageVolumePrivilege	1752	WMIC.exe
Token: 33	1752	WMIC.exe
Token: 34	1752	WMIC.exe
Token: 35	1752	WMIC.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 1828	748	Setup.exe	25
PID 748 wrote to memory of 1828	748	Setup.exe	25
PID 748 wrote to memory of 1828	748	Setup.exe	25
PID 748 wrote to memory of 1828	748	Setup.exe	25
PID 748 wrote to memory of 1828	748	Setup.exe	25
PID 748 wrote to memory of 1828	748	Setup.exe	25
PID 748 wrote to memory of 1828	748	Setup.exe	25
PID 1828 wrote to memory of 1896	1828	cmd.exe	27
PID 1828 wrote to memory of 1896	1828	cmd.exe	27
PID 1828 wrote to memory of 1896	1828	cmd.exe	27
PID 1828 wrote to memory of 1896	1828	cmd.exe	27
PID 1828 wrote to memory of 1896	1828	cmd.exe	27
PID 1828 wrote to memory of 1896	1828	cmd.exe	27
PID 1828 wrote to memory of 1896	1828	cmd.exe	27
PID 748 wrote to memory of 1844	748	Setup.exe	29
PID 748 wrote to memory of 1844	748	Setup.exe	29
PID 748 wrote to memory of 1844	748	Setup.exe	29
PID 748 wrote to memory of 1844	748	Setup.exe	29
PID 748 wrote to memory of 1844	748	Setup.exe	29
PID 748 wrote to memory of 1844	748	Setup.exe	29
PID 748 wrote to memory of 1844	748	Setup.exe	29
PID 748 wrote to memory of 332	748	Setup.exe	31
PID 748 wrote to memory of 332	748	Setup.exe	31
PID 748 wrote to memory of 332	748	Setup.exe	31
PID 748 wrote to memory of 332	748	Setup.exe	31
PID 748 wrote to memory of 332	748	Setup.exe	31
PID 748 wrote to memory of 332	748	Setup.exe	31
PID 748 wrote to memory of 332	748	Setup.exe	31
PID 748 wrote to memory of 1356	748	Setup.exe	33
PID 748 wrote to memory of 1356	748	Setup.exe	33
PID 748 wrote to memory of 1356	748	Setup.exe	33
PID 748 wrote to memory of 1356	748	Setup.exe	33
PID 748 wrote to memory of 1356	748	Setup.exe	33
PID 748 wrote to memory of 1356	748	Setup.exe	33
PID 748 wrote to memory of 1356	748	Setup.exe	33
PID 748 wrote to memory of 576	748	Setup.exe	35
PID 748 wrote to memory of 576	748	Setup.exe	35
PID 748 wrote to memory of 576	748	Setup.exe	35
PID 748 wrote to memory of 576	748	Setup.exe	35
PID 748 wrote to memory of 576	748	Setup.exe	35
PID 748 wrote to memory of 576	748	Setup.exe	35
PID 748 wrote to memory of 576	748	Setup.exe	35
PID 748 wrote to memory of 1652	748	Setup.exe	37
PID 748 wrote to memory of 1652	748	Setup.exe	37
PID 748 wrote to memory of 1652	748	Setup.exe	37
PID 748 wrote to memory of 1652	748	Setup.exe	37
PID 748 wrote to memory of 1652	748	Setup.exe	37
PID 748 wrote to memory of 1652	748	Setup.exe	37
PID 748 wrote to memory of 1652	748	Setup.exe	37
PID 1652 wrote to memory of 1752	1652	cmd.exe	39
PID 1652 wrote to memory of 1752	1652	cmd.exe	39
PID 1652 wrote to memory of 1752	1652	cmd.exe	39
PID 1652 wrote to memory of 1752	1652	cmd.exe	39
PID 1652 wrote to memory of 1752	1652	cmd.exe	39
PID 1652 wrote to memory of 1752	1652	cmd.exe	39
PID 1652 wrote to memory of 1752	1652	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies data under HKEY_USERS
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\SysWOW64\cmd.exe
  cmd /C vssadmin Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1896
- C:\Windows\SysWOW64\cmd.exe
  cmd /C bcdedit /set {default} recoveryenabled No
  2⤵
  PID:1844
- C:\Windows\SysWOW64\cmd.exe
  cmd /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:332
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  PID:1356
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  PID:576
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wmic SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic SHADOWCOPY /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1752

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/748-0-0x0000000003D50000-0x0000000003E51000-memory.dmp

Filesize
1.0MB

Download
memory/748-27-0x0000000004160000-0x0000000004171000-memory.dmp

Filesize
68KB

Download
memory/748-29-0x0000000004160000-0x0000000004171000-memory.dmp

Filesize
68KB

Download